Best IT Recipes

Security MVC 4 Web Api

I am very new to web api security. I used the form authentication method. when a user logs in, a token is created and saved as a cookie in a user’s web browser. For each request, the token is changed and if the user is authenticated and an authorized user gets access to the service.

but I think this approach does nothing in the security of the web api. Cookies can be easily copied and pasted into another browser, and everyone can get the service.

I am thinking of using an application key and secret, as well as form authentication. I do not suggest using a third-party service like Oauth for authentication. I'm not sure about the implementation of the application key, and the secret is that it definitely works.

Please provide the best way to protect my web avia from using third-party services and prevent the capture of cookies, etc. What steps are taken to create a reliable api web application.

0
security web-services asp.net-web-api asp.net-mvc-4
Oct 15 '13 at 7:07
source share
1 answer

Form authentication is good enough. You can also do the following:

  • Use anti-fake (antifreeze) tokens. Check this one or this one
  • It will also be great if, with sensitive actions, you check whether the function was called from the same site or not. To do this, you can implement your own action filter. (check if the referral site is your site or an expected site).

Edited by:

Thanks guys for your comments. I think you're right. Good ASP authentication cookies are created as httpOnly cookies, which means that even if the site had some XSS vulnerabilities, it will still be secure and cannot be stolen. I also suggest using https everywhere if the site is used for sensitive operations (like a bank) to make sure cookies are completely safe.

0
Oct 15 '13 at 8:33
source share


More articles:


All Articles