0

I'm writing a rails web service and i would like to use authlogic for authentication, since this seems to be one of the most used and active authentication gem. Our clients should be abled to authenticate with their user credentials, so i deciced to use http basic auth (authenticate_or_request_with_http_basic) with ssl.

I would like to add some more security by replacing the original password for authentication by a hash of password, url and request time to ensure that a request can be used only in a short time window. Since webservice and client time are not synchronized, i have to send the client time besides the login credentials. How can i add the client date to the authentication header and read it using the authenticate_or_request_with_http_basic method?

MPelletier
  • 16,256
  • 15
  • 86
  • 137
trackmate
  • 248
  • 2
  • 8

1 Answers1

0

Why do you need to send the time details to the client? You could store the TTL of the authentication server-side and validate all future requests against that TTL.

Successful authentication can result in a message to the client saying they have xxx mins/days (the TTL) to do what they need to do. When the TTL has expired, your web service should return a neutral response to the client (the same as if an authentication attempt failed - to protect yourself from hack attempts).

Best not to mess around with client date info. What if the date on their machine is wrong?

Update: I'm still worried about the whole client date thing. Take a look at how others have implemented API's with rails

edralph
  • 1,831
  • 1
  • 14
  • 14
  • Hi edralph, thanks for your answer. I'm quite new to rails and authentication, but my idea was to require new authentication and an unique password on every single api call. The password could be a timestamp, original password and the request url hashed together. By using the timestamp in the hash i could ensure that the same api call with its crendentials is used only once or lets say only in a short time window. I could validate the client timestamp with the current server date with a tolerance of some minutes to prevent from back dated client dates. – trackmate Jul 09 '12 at 13:24
  • But in the end i need to recreate the hash for validation on the server side and therefore i need the exact client date. I could pass the client date as a get parameter into every request uri, but don't want to use this solution for every api method. Is there a possibilty to add a timestamp to an basic auth header? – trackmate Jul 09 '12 at 13:24