0

The backend for my client web application is a JSON Api. I wanted to keep the backend generic so other devices such as mobile could reuse the same service.

Let's say each user account has a token in their profile, when they login with their username/password I send the token back. In each subsequent request I send back the token, look it up in the database in order to find out who the user is.

As the user moves throughout the app, how/where do I store this token. Do I store it in a cookie? Do I drop an additional cookie in order to keep some kind of session state going?

Paul Sylling
  • 359
  • 1
  • 5
  • 12
  • 1
    Without any other measures, you should surely NOT use a cookie to allow access to your API. If you do, then [I can query your API from my website](http://en.wikipedia.org/wiki/Cross-site_request_forgery), if I can make an authenticated user visit my site. – Arjan Dec 16 '12 at 13:37

1 Answers1

0

First of all this is not 100% RestFul.I have faced a similar situation. blogged it here

The solution is, I created a singleton object to store user authentication token in the application container.Then a filter was configured to query the request and get the authentication token sent by the client. Then this token is matched against the token stored in the Singleton Session object.

Prabash B
  • 330
  • 1
  • 2
  • 9