0

I have to start a new project to be developed in MVC 4 and Web API. I have prior experience with MVC 4 but with Web API this will be my first project. I understand that web api is there to be consumed by different platforms.

I have a few concerns related to web api. I am presenting them to you guys as following:

1) My first concern is related to user authentication. I looked into this SO question and followed the link1 and link2 given in the selected answer. I still have a couple of questions:

a) When we do user authentication through Form Authentication we create a cookie, that track if the user is authenticated or not, but with web api we do not store cookie, instead user credentials are passed in content header. I didn't get how user's logged in status is tracked in this case ?

b) My another concern is related to restrict unauthorized access, which I think I can find find out in link 1 and link2 provided above, if I am not wrong.

c) I looked at the Edward Brey answer (in the same SO question) as well for authentication but I didn't get the idea completely.

2) My second doubt is about mixing Form authentication and Basic Http authentication. Is it possible that for login I use forms authentication and then for consuming web api I use basic http authentication? If yes then please guide me.

My questions may sound inappropriate but please bear with me

Community
  • 1
  • 1
shrekDeep
  • 2,260
  • 7
  • 27
  • 39

1 Answers1

0

1.a) Restful APIs are stateless, so you are not keeping track of user's logged in status, rather you are sending credentials which are verified for each of the requests

1.b) Yes, if not there are number of articles on web for that. Authorization Filters can help you in achieving this.

1.c) In short, he has mentioned simple logic to authorize user before executing any of the methods in your API. Call EnsureAuthenticated before executing any of the methods in a controller, or put that logic in you Authorize filter.

2) Yes you can do it. In Restful API's each call can be a new instance and you can pass in credentials with api requests whichever you are making.

If you go in discussion of Link 1 that you have provided, you will see:

In our specific case, the server generates the auth token by encoding the concatenated username and password as Base64 (the reverse of what is described in the article) and sending it back to the client via a HTTP header when it performs their ‘log in’ action. The clients then store this auth token and send it with each subsequent request that requires it.

If the format of the auth token is well known (as it is in my case), you could also just generate this yourself on the client and send that without having the server do this work.

You can use your login to generate an authentication token for client, which you can use to send attached to your web api requests.

Guanxi
  • 3,103
  • 21
  • 38
  • Thanks for the reply Guanxi. Could you please tell me for question no: 2, what will be the best way to pass user credentials to web api when forms authentication is done ? Or any other alternative way you could suggest ? – shrekDeep Aug 12 '14 at 13:36
  • I have updated answer. Let me know if that helps, but I am against passing credential in every request, so it would be better if you generate token in some other way, like Hash of your Username password combination would do. – Guanxi Aug 12 '14 at 14:42
  • Great!!. I am thinking about Session variable, but is storing token into session like Session["token"]={encrypted token}; a good idea ? – shrekDeep Aug 12 '14 at 16:23