I am creating some web services that I would like to protect using a special (i.e. NOT WS-Secure, etc.) method. My plan at present is to have a method that accepts an active username and password (via HTTPS, of course) to authenticate the user. This method will then obtain the account SID for this user and encrypt it using a secure but reversible method and pass it back as a security token.

After that, the caller will pass the encrypted token as a parameter for each web method as a means of authenticating the caller. Then the token can be decrypted and returned back to the directory entry (and, thus, confirm their accuracy) is pretty trivial. This provides an added bonus, allowing the methods to fully identify the authenticated subscriber.

However, using the SID from an account, which is usually internal only, bothers me a bit. It is safe?

EDIT: As I said in the comment below, I realized that the token must be “session-based”, that is, it must expire in order to reduce the chance of reusing the token. This is likely to be fixed if the client session is part of the token.