0

I am using angularjs on the client side and WEB API on the server side (C#). I'm trying to implement Authentication and Authorization mechanizm, I understand that session state is a "bad" practice for web api, so I read some more options, but somethings were unclear to me, or perhaps someone could suggest me a better solution, I would appreciate it.

  1. after user logged in successfully, generate a token for him, and send it in the first response back to the client. the token will be added to any authorized request after that. the question is, how the server could tell what user is that? use DB to store data like username, and system role id, with the token as key?

  2. after user logged in succesfully, encrypt or something like that important data like 'username;system_role;other_info' and send it back as a token?

  3. perhaps use encrypted 'FormsAuthenticationTicket' of asp.net? like here?

I'm sorry for the long, and maybe too ease question, but I really couldn't understand from the web what is the 'best practice' for my case, and it is the first time that I don't use session for authentication.

thanks.

HS1
  • 608
  • 2
  • 10
  • 28
  • possible duplicate of [Authenticate a site/app to access a Web API Service](http://stackoverflow.com/questions/23718130/authenticate-a-site-app-to-access-a-web-api-service) – Dalorzo Aug 25 '14 at 15:09
  • [How to secure an ASP.NET Web API](http://stackoverflow.com/a/21634723/1959948) – Dalorzo Aug 25 '14 at 15:11
  • possible duplicate of [How to secure an ASP.NET Web API](http://stackoverflow.com/questions/11775594/how-to-secure-an-asp-net-web-api) – Vadim Aug 25 '14 at 15:42

0 Answers0