Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
C
C
Cyril2017-02-25 22:46:51
Node.js
Cyril, 2017-02-25 22:46:51

Does it make sense to sign REST API requests?

Does it make sense to sign each request to the REST API of the server on the client side with a special access token ( access_token )?
This access token is sent to the client as soon as it successfully logs in to the server.
Maybe just cookies? When I log in through the browser, I have user session cookies saved. Maybe just check for each client request for the presence of a user session cookie?
UPD:
The scheme is something like this:
1. The client logs in to the server:
Server <———(/login)——— Client
2. The server opens a user session and gives the client a cookie:
Server ———(cookie)———> Client
3 The client makes a request to the server's REST API, putting the cookie ID in the request header
Server <———(REST API + headers with cookie ID)——— Client
4. Server looks at the cookie from the client:
Server ~~~~~~~(Where is the cookie??)~~~~~~> Client
5. The client shows the cookie in response:
Server <~~~~~~~(Here it is: ...)~~~~~~ Client
6. The server checks the client's cookie against the cookie ID passed in the REST API request. And then it checks the cookie ID against the user session ID. If both checks pass, then the next step is .
7. The server executes the REST API request and returns the result:
Server ~~~~~~~(Get data ^_^ )~~~~~~> Client
Thanks in advance.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
vintage, 2017-02-25
@belyaevcyrill

A cookie is also an access_token, only substituted by the browser automatically, even if the request is initiated not by your page, but by the page of the left site. Accordingly, when forwarding a token through cookies, a third-party site will be able to make requests to yours on behalf of the user. Whether this should be allowed is up to you. If necessary, just use cookies. If not necessary, then the simplest thing is to send the token taken from the cookie in the header with the request, and check their identity on the server. You can get cookies with a script only from the same site who set them. It is better not to send the token in the url so that it does not appear in the logs.

Similar questions
N
Neonoviiwolf2017-04-05 01:12:43
ArrayList remove internal array using reference? 2Reply
K
krotish2015-06-22 10:28:55
How to compile chan_dongle under Tomato by Shibby (optware, Cross compilation)? 2Reply
J
JohnxFFF2019-11-11 07:27:48
How to properly organize settings for subdomains? 2Reply
Y
YakovSpb2021-06-01 14:29:13
How can I display posts only those that are in the time frame? 2Reply
A
Alexander Knyazev2017-01-23 16:57:02
How to wait for the execution of an external function in a "promise"? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question