6

I am trying to add a REST interface to Django for a mobile client. The mobile client will use JSON over HTTPS. I have not been able to find the "best" way to accomplish this for mobile devices. From searching around, it seems that #2 is more favorable to #1:

  1. Use HTTP authentication and establish a cookie based session. All transactions will occur over HTTP and JSON messages will only contain commands or data.
  2. Pass the username and password (encrypted) within each JSON msg for all transactions and do not rely on cookie-based sessions.
the Tin Man
  • 158,662
  • 42
  • 215
  • 303
ewhitt
  • 897
  • 1
  • 12
  • 18

4 Answers4

8

I would recommend sending the username / password first with a login call. The JSON will pass back an authToken or accessToken which the mobile device will send back for all subsequent calls. You will then check to make sure the authToken is valid. This is the approach many API's take. In their database they will bind the API key to the users account that they logged in with.

Bot
  • 11,868
  • 11
  • 75
  • 131
  • Thanks. I like this approach. Does this truncation type have a name or something I could Google further by chance? – ewhitt Mar 02 '12 at 03:09
  • @ewhitt it is considered token based authentication http://upcoming.yahoo.com/services/api/token_auth.php – Bot Mar 02 '12 at 16:16
  • @Bot How about if the attacker trying to log in and get the token and use the token to make api request? – Yohanim May 10 '21 at 16:39
3

OAuth is overkill unless you want to make these services available to other developers (which they would access on behalf of your end users). Better to go with option 2, but I would recommend using Digest Authentication as opposed to Password Authentication. Combine that with SSL and you are definitely good to go.

Perception
  • 79,279
  • 19
  • 185
  • 195
1

Number 2 is preferable, and rather than roll your own, I would recommend using OAuth authentication if possible. Both client and server libraries are readily available for use on most platforms now. Check http://oauth.net for details.

Mike Fahy
  • 5,487
  • 4
  • 24
  • 28
  • I would definitely start with the "Get started" section of the Oath.net web site mentioned above. It has links to much of the OAuth info available today. – Mike Fahy Feb 29 '12 at 23:12
0

So long as you're using actual encryption and not base64 or some homegrown obfuscation algorithm, #2 is fine and dandy. You might also want to consider the route many companies take, which is binding an API key to a username.

jathanism
  • 33,067
  • 9
  • 68
  • 86
  • Is encryption still necessary if everything will be sent in SSL? – ewhitt Mar 01 '12 at 09:13
  • SSL is encryption. It's just encryption at a different layer of the communication stack - SSL encrypts the entire communication channel rather than just selected contents of a particular message. It is therefore generally more expensive. To do both may be a waste of resources. – QED Mar 01 '12 at 18:36