Answer the question
In order to leave comments, you need to log in
How to request authentication for every request in WEB API?
Good afternoon! Made custom web api authentication. All. Works. But here is a big problem. I need the server to ask for authentication data on every request. It's about cookies and sessions, but how to disable them?
Or did I not understand something about authentication? In general, here's what I want to do:
The server must check each request and perform authentication based on the user's token and secret key. In the request header, a hash of the data being sent is sent, which is created using a secret key. And here you need to check the title every time. How to do it?
Or create an authorization filter and check the headers on it (since these filters are called for the request every time)? But not quite the right approach.
Answer the question
In order to leave comments, you need to log in
1. Authentication is performed once. This is a rather complicated, potentially multi-step process. Doing authentication on every request is a 100% wrong decision, it will simply not be possible to use it.
2. Because authentication is performed once, then a certain token is used as a label for all requests from some authenticated user. It could be a session ID coming in a cookie, it could also be a JWT sent in the Authorization header. This is the token that needs to be checked every time. The essence of this token is that it is a) one way or another temporary (although it can be extended in one way or another); b) is not associated with a specific authentication method. Those. it represents a particular successful authentication. With some stretch it can be called a "session". Verifying this token is MUCH easier than doing a new authentication - either you just need to find the session in the list (well, check the IP just in case) in the case of a session ID, or check the validity of the signature in the case of a JWT token.
3. Насчёт фильтров авторизации - уточните версию ASP.NET, тогда поглядим.
Stanislav Makarov Thanks for the explanation.
2. Not JWT but almost the same.
3. .net version 4.5.1
I need to create a REST API service and one of the requirements is that www.restapitutorial.ru state does not exist . Therefore, in order to determine the user, I pass the token formed as follows:
Create an array of segments and url parameters. Sort alphabetically. We create a string from this array. Add the secret key hash to it. Add the current time in unix format. And we pass it in the Authorization header along with the user's UUID.
var token = url + secureKeyHash + currentTime;
var authorization = uuid + ":" + token;
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question