Security of Web App - Passing credentials to webservice API

Question

I am a beginner at web development. I've done a fair amount of command line and some gui python development, and done web development using Drupal and Wordpress and static html/css, but never had to worry about managing sessions or logging in users. The few cases where that was needed, I just used Drupal/Wordpress.

I am committed to learning Flask/web development and have a project I've started. It is a simple 3 page app that makes calls to another site's XML API (I believe it is called a REST API). The site I'll be calling is Adobe's Connect, which houses a bunch of elearning courses and student data. Here is a link to their 'Getting Started' API documentation: http://help.adobe.com/en_US/connect/9.0/webservices/WS5b3ccc516d4fbf351e63e3d11a171dce72-7ff7_SP1.html

My app needs to be able to do the following: 1. When the student enters their user id/password into a form in my Flask app,I want to make a call out to the Connect API and log them in there (therefore simulating a single-sign-on). 2. Then, I want the user to be redirected to a page that lists the courses they are enrolled in (this data is pulled in from the Connect API).

My question/concern is regarding session and user security. The Connect API documentation recommends just making a call via URL. That seems a bit odd to me, but perhaps it is completely safe? I guess I just want to make sure I'm not passing user credentials 'in the clear'. So is making sure my site is https and the call is to an https URL (which Connect's API is) the correct way to do this?

I already have a command line script in Python that successfully integrates with Connect's web service - I can login a user, logout, make calls to return data. My next step is to re-create this as a web app.

Any advice/tips is greatly appreciated.

Answer 1

Sending of login credentials in a URL is only safe if you use secure HTTP (i.e. https://...). The documentation for Adobe Connect that you linked mentions this in a note, but many of the example that they show use plain http://.... Very misleading.

Once you are logged in you receive a session, which you have to send in place of the credentials with future requests. The risk is lower with session IDs, but regardless, it is a good idea to also protect the session ID by sending all requests over secure HTTP.

Then you have a second problem to solve. The user credentials need to travel from the user's computer to your own server before you send them to Adobe Connect. Your server should also be on secure HTTP.

Finally, in the same way Adobe Connect "remembers" you with the session ID that you pass with all requests, you will need to have a session for each of your users so that each time they request a page you remember them and know what Adobe session to use for the requests that you need to send.

For your own session IDs you can just reuse the Adobe Connection session ID, you just send it to your user in a cookie and then you'll get it back each time they request a page. A more robust solution requires you to generate your own session IDs that are different from Adobe's and associate your sessions with Adobe sessions in your user database table.

There is an extremely useful extension called Flask-Login that does management of user sessions for authentication. It may save you some time if you decide to implement your own user sessions.

Good luck.