0

Background

I've a set of WCF REST services and an ASP.NET client application.

Everything about business, data, process and validation occurs in the services' infrastructure.

ASP.NET client application is a consumer of these WCF REST services.

In the near future, these WCF REST services will be consumed by mobile applications (Android, iOS and Windows Phone).

Problem

Optimal way of implementing authentication.

Possible approaches

  • Token authentication. First successful login generates an authentication token, which is transmitted over the wire back to the client. Next requests will send the authentication token stored in a cookie, because service layer maintains an authentication token store. Tokens will expire in an arbitrary time.

  • Session-state authentication store. First successful login marks a session in some session state store as an authenticated session. Since Web client stores its session identifier in a cookie, next requests will transport it and service layer checks if session for given identifier is authenticated. Sessions will expire in an arbitrary time.

Question

In my case, I would go for first option: token authentication.

Anyway, I'm worried about security issues, because if someone steals token or session identifier, this may be able to supplant owner's identity.

Summary: what would be your choice?. I'll appreciate that you talk about security concerns.

Note if you've another approach, you can talk about it, I'm open to other possible solutions.

Thank you.

Matías Fidemraizer
  • 63,804
  • 18
  • 124
  • 206
  • There's no reason to close this question as it's a **question**. It evolves facts, specific expertise. It's not opinion, it's experience. Some may provide a solution, other other one, but it's not a discussion, because it needs an exact answer. @casperOne, next time try to argue why you close questions. Thanks. – Matías Fidemraizer Dec 05 '11 at 08:01

1 Answers1

1

My take on this is that REST means working with the standards of the web, and the standard for "secure" transfer on the web is SSL. Anything else is going to be kind of funky and require extra deployment effort for clients, which will have to have encryption libraries available. SSL certificates are used for authentication. They help in detecting man-in-the-middle attacks such as are possible using DNS cache poisoning.

You might be also interested in the following topic about RESTFul authentication.

Community
  • 1
  • 1
Tomasz Jaskuλa
  • 15,723
  • 5
  • 46
  • 73
  • Your answer is useful as I could go reading a lot of articles about RESTful authentication starting from your link. By the way, I'm not sure if you understood my question rightly. It's not about application authentication, but _user_ authentication. Anyway, as I said before, a very useful answer. – Matías Fidemraizer Dec 05 '11 at 09:02