asp.net Web Api custom authentication requirement for mobile client

Question

Please provide your feedback on my solution against following requirements.

Requirement (similar to):

1.a let say that authentication Token is made out of the Email and date and is encrypted

1.b authentication Token is send back to the client through header

1.c authentication Token is stored on client and server

My solution :

1) To send authentication Token back to the client through header. i have used cookie, and following code.

  HttpCookie cookie = new HttpCookie("AuthenticationToken");
      cookie.Value = "EncryptedToken";
      Response.Cookies.Add(cookie);

2) I will store authentication Token in database, and for each request i compare token saved in cookie with token stored in database. (assume that encrypt,decrypt operations are done properly )

Your feedback/commments?

Cookies work fine for web browsers, but if you wish to also target mobile and desktop clients you may want to consider something else — cecilphillip, Apr 11 '12 at 04:05
you are right. i have ended up using sqllite, and send authentication token through http header. — aamir sajjad, Apr 11 '12 at 04:48

Cotten · Answer 1 · 2012-04-08T10:20:47.303

1

I have no expert knowledge in security. To me your idea sounds doable.

However, I was curious why you wanted to do "custom" authentication like this? Have you taken a look at "build it" ASP.NET authentication done in Web.API?

Then you could create a custom HttpOperationHandler using standard .net stuff like:

var ticket = FormsAuthentication.Decrypt(val);
var ident = new FormsIdentity(ticket);
...
var principle = new GenericPrincipal(identity, new string[0]);
Thread.CurrentPrincipal = principle;
...
if (!principal.Identity.IsAuthenticated)
    return false;

Also, you might want to read about Thread.CurrentPrincipal and Current.User

The pro is that you don't need to store authentication token in some DB on the server and retrieve it on every request.

edited Apr 08 '12 at 10:20

answered Apr 08 '12 at 08:57

Cotten

8,787
17
61
98

In Restful you can not use ASP.NET Membership API – aamir sajjad Apr 08 '12 at 13:06
This is a very effective solution. You can AuthorizationFilterAttribute to do this. – Rebecca Jul 03 '12 at 23:09

score 1 · Answer 2 · answered Apr 08 '12 at 09:04

1

It looks to me OK. However, if you are encrypting (so you can decrypt back) and can find out email (identifying user) and time token issued (hence verify whether expired or not), do you still need to store it in database? I would, only if i had other requirements such tracking, etc.

answered Apr 08 '12 at 09:04

Aliostad

80,612
21
160
208

i am storing it in database, because otherwise how can i track user among different requests.
for example first time user request is get, next request is post...
so basically i am verifying user for each request... i hope that i have explained it. – aamir sajjad Apr 08 '12 at 13:11

asp.net Web Api custom authentication requirement for mobile client

2 Answers2

Linked