Securing data sessions over WFC/JSON with Cookies or alternative methods
https://stackoverflow.com/questions/9345280
-
27-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
I have search for roughly 5 hours now on what would be the best method to "secure" data sessions/login sessions over WCF.
Some facts:
- The WCF code is in C# and will be hosted online for all to use (API)
- There will be a separate website that uses the API as a GUI for users
- It will also be consumed by the iPhone , Android and anything else I can think of
- The data will be sent using JSON
- Most Importantly: The API will be accessed over SSL
Option 1 -
I have been toying with using cookies to secure access to the API system. I know an easy way, yet crude, is to submit a request as if it was a HTTP request from a browser and use Forms Authentication. I would prefer to do this using only JSON and Cookies - assuming I go down that route.
Option 2 -
That being said about Cookies. I thought of another way to accomplish this, maybe it is a more secure way also? I would to pass an authentication (custom class) object through JSON along with the object(s) required for each call. Within this authentication object there would be two or more members:
- SessionID: This would be a GUID which is stored in the API's database
- HashValue: Possible a MD5 Hash, I haven't decided, that will be updated on each call
The idea of updating the HashValue on each successful call made to the API is so that the client's locally stored authentication object will be changed so that no spoofing could be carried out. At least I believe this, maybe I am wrong?
Note: This value would be generated server side, stored in the database and passed back to the client.
I am unsure which way to go. If option 2 would be a better way then away I go.
Only if Option 1 is the best then my issue here is I actually cannot find how to set the cookie in the WCF service on the API side. Any pointers?
Thanks for your help.
解决方案
The advantage of using Forms Authentication is that you then do not have to worry yourself with having the expertise of a security/cryptography professional. You can use an already hardened way to securely manage a session. Further, sticking with the HTTP protocol limits issues with firewalls as most places allow outgoing port 80 and 443 traffic.
Your option 2 is essentially doing the same thing as Forms Authentication yourself with a changing hash. Normally having a changing value (either hash or unpredictable value) is called a nonce and is use with OAuth.
Consider the OAuth support out there as it is platform independent and there are also already written libraries out there for that.
But if it were me and I'm using C# and WCF, I'd stick with Forms Authentication and put my effort into into the actual logic in the API that is my particular expertise.
