using rest api in asp.net 4.0

Question

Let's assume that client wants to be a new user(sing up) with using iphone/ipad application. I need to add this new user record in to MSSQL database in my host. This request should come to my asp.net pages, and then i need to reply to client. I was using this: www.exampleWebSite.com/registerUser.aspx?newUserEmail=aaa@aa.com&newUserPassword=123 and then i can return result with JSON like this:

{
    "processResult":"True",
    "processMessage":"sign up is done"
}

it works like this but i know this is not good for security, right? by the way, i can return all values(from mssql database) and all CRUD process from my asp.net web site. (.net 4.0) i must use this.

so first question, what is the best way for this? using rest api? second question, how can i send the data? (client side is ios) third question, how can i get the data? (host side is asp.net c#) fourth question, can i develop rest api with visual studio 2010? or do i need higher version? thanks!!

Answer 1

Several ways to do it but I can go over a few points

1. Make it a POST rather than a GET as you are doing it in the querystring. This is an idealistic approach, there's nothing stopping you from putting the username and password in the querystring but it's nicer if you put the registration info in the body.

2. Make it HTTPS and ensure, in the client, that you trust the certificate that the server presents. This allows you to maintain an SSL connection between the client and the server without someone snooping in on the body.

3. You may want to consider making your JSON response more meaningful. By virtue of it being a 200 response, you can imply that processing was successful. You can return a 401 or 500 if the processing was unsuccessful. The JSON response could simply return OK or a user token that the client stores and uses to communicate with your server.

4. The MVC Web API is a great framework for building RESTful web services in ASP.NET. See instructions here for VS 2010.

5. As for getting the data, you could use the generated token in each request to get user specific information; you would need to store that generated token upon user registration in a database against the user.

As a further topic, you may also want to, at least, read up on OAuth and implementing OAuth in your Web API. This would involve performing the login on your own website but giving the mobile client a secret token to use when communicating with your API; the token can also expire every, say, 30 minutes and you would keep reissuing new tokens for that user. However, depending on the nature of your audience and size of your application, you may not want to do this and just having a 'static' token for each user suits your purposes.