0

i am not sure if this is the right place of asking thoes kind of questions, and i am sure all of you can help me out with a bit of a hard question.

I am building an aspx site which will need to load a lot of json information to fill up in the page. and after thinking for long time i have choose to build an web api 2 and i need to ask something about security.

When the user logged in to the site, he gets a "Token", this token is then encrypted to a cookie. when the user ask for information from the web api, he needs to go through
A - [AuthorizedChecker.CustomAuthorize] Which looks like that :

public class CustomAuthorizeAttribute : AuthorizeAttribute
        {
            protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext)
            {
                return true;
            }
        }

and this will decrtype the cookie and check if the session-id is okay, if it does it will give you the info you need, if not you will get false and kicked out.

I just wanted to ask.. is that a good way? am i doing it okay or wrong? i dont want to build something that will not work or go through penetration test.

Thanks !

Alon M
  • 1,583
  • 7
  • 30
  • 44
  • Does no one knows the answer to this? – Alon M Jan 30 '16 at 12:38
  • I don't see any problem with what you have described; I'm not a pen-tester but I believe the approach you describe is typical. There might be some more useful information in this post: https://stackoverflow.com/questions/22880/what-is-the-best-way-to-prevent-session-hijacking – Stevie Feb 01 '16 at 11:36

0 Answers0