2

I need your help. Can you please elaborate when a sign in request is sent to server via browser or api, how server differentiate between these requests?

Thank you.

Stephen Kennedy
  • 20,585
  • 22
  • 95
  • 108
Owais
  • 57
  • 6
  • 1
    It may not always be possible to tell. A POST request from the browser could look the same as a POST request from another application calling the API. The `User-Agent` string might give it away. In ASP.Net the `IsPostBack` property can detect this. Can you tell us why you want to know? – Ste Griffiths May 15 '18 at 10:27
  • 3
    Let's turn the question around: why do you care where the request comes from? – DavidG May 15 '18 at 10:28
  • because I'm a beginner and my instructor gave me this task to ask on stackoverflow about this scenario. – Owais May 15 '18 at 10:30
  • 5
    @SteGriffiths That's *not* what `IsPostBack` does at all. – Bradley Uffner May 15 '18 at 10:30
  • 1
    @SteGriffiths And you're talking about WebForms, not MVC. – DavidG May 15 '18 at 10:30
  • 1
    @Owais Your instructor told you to ask a question on Stack Overflow? – DavidG May 15 '18 at 10:32
  • 3
    The server really just has a trust the client on this one. It is commonly done via the [`User-Agent header`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/User-Agent), but I've seen other specialized headers. If the client "lies" there really is no way for the server to know about it. There could also be a specialized API end-point just for API based clients, but there is no way to enforce its use or restrict it to APIs only. – Bradley Uffner May 15 '18 at 10:32
  • A HTTP client is a HTTP client, whether it's a browser or some other client program, there should really be no reason for the user to care. If you want to try to restrict who can make requests to a particular server endpoint, you can use authentication, and/or techniques such as CSRF tokens which may help to distinguish whether the client is one you want to talk to or not, but does not tell what _type_ of client it is. User-agent strings can be used for that, as others have mentioned, but they're complex and varied, and also very easy to spoof, so you can't rely on them. – ADyson May 15 '18 at 10:54

1 Answers1

2

I found an answer that might be helpful: How do I determine if a HTTP request came from a browser or something else like a web service?

Also have a read of this little article about ASP.NET API authentication: Basic Authentication in ASP.NET Web API

In Short:

If it is simply an HTTP request then you cannot know. Otherwise if you're developing an API there are techniques used for authentication of the client as it's described in the second link I put above.

Hope this helps.

George K
  • 481
  • 2
  • 13