I have a simple authentication scheme for the set of semi-public REST APIs that we create:
/-----------------------\ | Client POST ID/Pass | | to an Auth Service | \-----------------------/ [Client] ------------POST----------------------> [Service/Authenticate] | /-------------------------------\ | Service checks credentials | [Client] <---------Session Cookie------- | and generates a session token | | | in a cookie. | | \-------------------------------/ | [Client] -----------GET /w Cookie -------------> [Service/Something] | /----------------------------------\ | Client must pass session cookie | | with each API request | | or will get a 401. | \----------------------------------/
This works well because the client never needs to do anything other than receive a cookie and then pass it on. For browsers, this happens automatically by the browser, for applications without a browser, it is quite trivial to save a cookie and send it with every request.
However, I did not understand a good approach for executing an initial handshake from browser applications. For example, if this happens using the AJAX technique, what prevents the user from accessing the identifier / pass that the client uses to establish communication with the service?
This seems to be the only stumbling block for this approach, and I'm at a standstill.
security authentication rest wcf
Flyswat
source share