Geek Answers Handbook

What uniquely identifies a client making a request for a web API?

Let's say I'm writing a piece of code that makes an http call to a web api, something like:

$http.get('www.myapi.com/api/controller/endpoint').then(function(resp){...})

Then I pass this code to two people who live in different cities, and they removed my API from their respective houses (only from some browser). What information can my API get from an http request that will allow me to talk about everyone who is allowed to A and person B? Is the IP address available? Is the MAC address available? What else is there?

How can a person claim the role of person B when calling my API?

Also, what if person C calls my web API his own web interface (backend)? Will the same information be available or what will be different?

This is a general question, but if you want to clarify, let's say that ASP.NET Web API 2 receives HTTP requests.

+8
javascript security c # asp.net-web-api2
source share
4 answers

You describe the desire for pre-authentication.

IP will always be available. You can limit the service to only these IP ranges. This is not a good way to do authentication.

An attempt to bypass authentication is unsafe. You must use the correct authentication method. Combining IP restrictions with other methods is fine.

John Meyer's answer is, in essence, user authentication based on token sharing. The presence of a valid token consists of the fact that it constantly enters the system. A token can be compromised much more easily than conventional token-based authentication, which sets a temporary token with a limited lifetime.

If you decide to follow the preliminary marker route, use a method that supports the correct rotation or rearrangement of the token over time, so that it is not vulnerable to repeated attacks.

The best option for this scenario is a typical token based user authentication.

If you are really not interested in who uses your service, only to be uniquely identified, you can safely set a cookie for each user (or a permanent or arbitrary lifetime) using the http Set-Cookie header, which all clients should automatically respect and support and then use this as your tracking method.

+3
source share

My team accomplished this by requiring the identity header to be included in all requests. This requires some configuration by the caller, but does not necessarily require the user to log in. Of course, the value of the header can be changed by malicious users, so if these calls need to be very secure, you will need traditional authentication.

+1
source share

you seem very confused. what you are looking for is called authentication.

as you noted C #, I assume that you are developing your api in C #. I recommend checking out Web Api .

There are several authentication methods these days. if you are developing rest api you can use json web tokens .

You can get a lot of information about the client calling your api via http headers .

+1
source share

I think you can always go through fully authenticated. I see your desire to go for a semi-secure set of endpoints, but I do not think that any of the approaches will serve you best. MAC, ip, user-agent, custom fields, everything can be faked, to be honest. Going with a carrier token or a session token is your only bet. For public apis, you can restrict ip-based user requests, or you can try to find out if any particular ip is trying to use you and thereby block it, but it is impossible to find the true identity anyway.

0
source share

More articles:


All Articles