Best IT Recipes

Authentication, authorization and session management in traditional web applications and APIs

Correct me if I'm wrong: in a traditional web application, the browser automatically adds session information to the server request, so the server can find out who the request is from. What exactly is actually added?

However, in an API-based application, this information is not sent automatically, so when developing an API, should I check if the request comes from an authenticated user, for example? How is this usually done?

+68
authentication api authorization session
Jun 09 '12 at 10:12
source share
6 answers

The HTTP protocol has no analogues in design; each request is executed separately and is executed in a separate context.

The idea behind session management is to send requests from the same client in the same context. This is done by issuing the identifier by the server and sending it to the client, then the client will save this identifier and resend it in subsequent requests so that the server can identify it.

Cookies

In a typical case of a browser server; The browser manages a list of key / value pairs, known as cookies, for each domain:

  • Cookies can be managed by the server (created / modified / deleted) using the HTTP Set-Cookie response header.
  • Cookies can be accessed on the server (read) by parsing the HTTP Cookie request header.

Web-based programming languages ​​/ frameworks provide functions for processing cookies at a higher level, for example, PHP provides setcookie / $_COOKIE to write / read cookies.

Session

Back to sessions. In a typical case of a browser server (again), server-side session management takes advantage of client-side cookie management. Session management PHP sets a session identifier cookie and uses it to identify subsequent requests.

Web application API?

Now back to your question; since you will be responsible for designing the API and documenting it, implementation will be your decision. You basically have to

  • provide the client with an identifier, whether using the HTTP Set-Cookie response header, inside the response body (XML / JSON response).
  • There is a mechanism for maintaining identifier / client communication. for example a database table that associates identifier 00112233445566778899aabbccddeeff with client / user # 1337 .
  • ask the client to resend the identifier sent to him in (1.) in all subsequent requests, whether in the header of the HTTP Cookie request, a ?sid=00112233445566778899aabbccddeeff param (*).
  • find the received identifier using the mechanism in (2.), verify the authentication and log in to perform the requested operation, and then perform the operation on behalf of the user auth'd.

Of course, you can rely on the existing infrastructure, you can use PHP session management (which will take care of 1..2 and authentication part 4.) in your application and require cookies to be executed on the client side (which will take care of 3.) and then you leave all your application logic.



(*) Each approach has disadvantages and pros, for example, using the GET request parameter is easier to implement, but may have security implications since GET requests are logged. You must use https for critical (all?) Applications.

+115
Jun 27 2018-12-12T00:
source share

Session management is the responsibility of the server. When a session is created, a session token is generated and sent to the client (and stored in a cookie). After that, in the following requests between the client and server, the client sends the token (usually) as an HTTP cookie. All session data is stored on the server, the client only stores the token. For example, to start a session in PHP, you just need:

 session_start(); // Will create a cookie named PHPSESSID with the session token

After creating a session, you can save data to it. For example, if you want to save the user in the log:

 // If username and password match, you can just save the user id on the session $_SESSION['userID'] = 123;

Now you can check if the user is authenticated or not:

 if ($_SESSION['userID']) echo 'user is authenticated'; else echo 'user isn't authenticated';

If you want, you can create a session only for an authenticated user:

 if (verifyAccountInformation($user,$pass)){ // Check user credentials // Will create a cookie named PHPSESSID with the session token session_start(); $_SESSION['userID'] = 123; }
+45
Jun 23 2018-12-18T00:
source share

There are many ways for authentic users, both for web applications and for APIs. There are several standards, or you can write your own authorization / and / or authentication. I would like to point out the difference between authorization and authentication. Firstly, the application must authenticate the user (or api client) from which the request comes. Once the user is authenticated, based on the user identification application, it is necessary to determine which authenticated user has permission to run a specific application (authorization). For most traditional web applications, there is no clear granularity in the security model, therefore, as soon as the user authenticates, he is in most cases also authorized to perform certain actions. However, these two concepts (authentication and authorization) should be like two different logical operations.

In addition, in classic web applications, after authentication and user authorization (mainly by searching for a pair of username and password in the database), authorization and identification information is recorded in the session store. Session storage does not have to be on the server side, since most of the answers above offer it, it can also be stored in a cookie on the client side, encrypted in most cases. For example, the PHP CodeIgniter framework does this by default. There are a number of client-side session security mechanisms, and I don’t see that this way of storing session data is less secure than storing sessionId, which is then viewed in server-side session storage. In addition, storing the client side of the session is quite convenient in a distributed environment, since it eliminates the need to develop a solution (or using an existing one) to manage a central session on the server side.

In addition, authentication with a simple “user password” pair does not have to be performed in any case through a special code that searches for the corresponding user record in the database. For example, a basic authentication protocol or authentication digest . On proprietary software such as the Windows platform, there are also ways to authenticate a user trough, such as ActiveDirectory

Providing a pair of username and password is not only an authentication method, but also the use of the HTTPS protocol, as well as authentication using digital certificates .

In a specific use case when developing a web service that uses the SOAP protocol as a protocol, there is also a WS-Security extension for the SOAP protocol.

With all these words, I would say that the answers to the following question introduce the decision-making procedure for choosing the authorization / authentication mechanism for WebApi:

1) What is the target audience, is it publicly available or only for registered (paid) participants?
2) Whether it is running either * NIX or the MS platform
3) How many users are expected
4) How sensitive is the data API with data (stronger and weaker authentication mechanisms)
5) Is there any single sign-on service that you could use

.. and much more.

Hope this clears the bit, as there are many variables in the equation.

+9
Jun 29 '12 at 17:52
source share

If the API-based APP is a client, then the API should be able to retrieve / read cookies from the server response stream and store it. To automatically add cookies when preparing a request object for the same server / URL. If it is not available, the session identifier cannot be restored.

+1
Jun 27 '12 at 9:45
source share

You're right, well, the reason is that the “automatic” reason in the standard environment is that cookies are preferable to distributing URLs so that everything is good for users. At the same time, the browser (client software) controls the storage and sending of the session cookie along with each request.

In the API world, simple systems often just have authentication credentials passed along with every request (at least in my work). Client authors tend to (in my experience) be reluctant to implement cookie storage and transmission with each request and generally nothing more than a bare minimum ...

There are many other authentication mechanisms for the HTTP APIs, the basic HTTP / digest to name a couple, and, of course, the ubiquitous o-auth, which is specifically designed for these things, if I'm not mistaken. No cookies are supported, credentials are part of every exchange (pretty sure about this).

Another thing is what you are going to do with the server session in the API. A session on a website provides storage for the current user and usually stores small amounts of data to take the load off page to page. In the context of the API, this is less necessary because things are more or less stateless, generally speaking, of course; it really depends on what the service is doing.

+1
Jun 28 '12 at 18:35
source share

I would suggest you send some kind of token with each request.

Depending on the server and service, they may be JSESSIONID in your GET / POST request or something mature, like SAML in SOAP via HTTP in a web service request.

+1
Jun 29 2018-12-12T00:
source share


More articles:


All Articles