1

everybody.

Say, I have a web server and a client, which connects to it for the first time. The authentication mechanism is:

1) parse the client's  UsernameToken element and retrieve its username, password and   
   nonce.
2) evaluate a hash: SHA2 (username + password + nonce)
3) check if a Data Base contains such a hash.

Let's assume that there is such a hash. The question is, how to know that the client is already authenticated, when it connects the second time?

  • Searching the DB is rather expensive, so I can't do it at every connect.

  • Saving the clients hash in memory will increase the performance, but how long should it present in such a registry and it seem to be a huge security hole.

  • Session parameter? But how can it be implemented in the web-services context?

Dmitry
  • 3,028
  • 6
  • 44
  • 66
  • Check http://stackoverflow.com/questions/3592330/restful-web-service-authentication and http://stackoverflow.com/questions/319530/restful-authentication to get some ideas. – Luciano Mar 05 '12 at 13:32
  • Well, there are interesting points. So, am I right that I can create a session somehow (it would be grate if somebody could share an article on it =) ) and use hash(username/password/nonce) to identify it. If the session exists - the user is authenticated? – Dmitry Mar 05 '12 at 15:40

0 Answers0