0

I am working on one MVC application, where there is separate WEB API project also. Now I want to implement update email functionality based on OTP verification from mobile via WEB API. Web API is stateless but still, I want to implement SESSION in my code so that I can access OTP value in subsequence request and validate it. Currently, I am able to store OTP in session in the first request but in next request Session is null and I can not access stored OTP value.

I do not want database trip to store and retrieve the OTP.

public HttpResponseMessage SendOtpOnMobile([FromBody]OtpOnMobileAPIRequest objOtpOnMobileAPIRequest)
{            
    otpValue = CommonUtility.GenerateRandomOTP(4);
    HttpContext.Current.Session["otpGeneratedValue"] = otpValue;
    //Send OTP logic and response code
    ....
}

public HttpResponseMessage ValidateOtpFromMobile([FromBody]ValidateOtpFromMobileAPIRequest objValidateOtpFromMobileAPIRequest)
{
    var otpGeneratedValue = HttpContext.Current.Session["otpGeneratedValue"];
    if(objValidateOtpFromMobileAPIRequest.OTP == otpGeneratedValue)
    {
        //success
    }
    ....
}

I have tried following URLs.

ASP.NET Web API session or something?

Accessing Session Using ASP.NET Web API

wasim mulla
  • 65
  • 9
  • Usally, OTP is valid for few mins, So instead of relying on session storage (which breaks the Rest API concept for to be pure stateless) store the value at a persistence storage (like SQL Or Azure Table e.t.c.) which breaks the tight dependency of sessions. – user1672994 Apr 18 '18 at 12:49

2 Answers2

2

What you want to do and what is achievable are two different things.

Each call to the API will be discrete and won't keep track of previous requests. However, since you have an MVC app as well, I suggest you maintain the session there and simply pass whatever you want to the API as a parameter, for example.

So, return the OTP code you generated to your MVC app, if you can, and store it in session there then on subsequent API requests, pass it through from your web app.

It would help if you described the flow of your application, as suggestions will be based on that.

If you have multiple clients using your API, then each one of them will have to either maintain data required to function properly, or you will need to do that extra database trip. It's up to you which solution works better for your specific scenario.

Andrei Dragotoniu
  • 6,155
  • 3
  • 18
  • 32
  • Thanks @andrei-dragotoniu for reply. Yes, I can manage it in my MVC app. But the same API is also used by the mobile team also. I have exposed the API for android and iOS applications. – wasim mulla Apr 18 '18 at 12:58
1

Thats great you know "API's are stateless". I am completely agree with the words of Andrei

What you want to do and what is achievable are two different things.

If you dont want to store the OTP in your database then why dont you pass OTP in HttpRequestHeader.

Pass the OTP in your header (Preferred encrypted OTP and then decrypt it in your WEB API.

Suggesting this way as per your needs

dLcreations
  • 357
  • 2
  • 14