5

I've read that a good way to write web services to be consumed from mobile apps is to avoid SOAP (too verbose) and to use REST. In many REST examples, I have seen it is better to avoid sessions due to the stateless nature of REST. But how can I assure security when invoking my web service? I would like to make a "login" call than pass a session_id/token to the next web service call. How can I do it?

Improve this question

2 Answers 2

Reset to default
4

The cleanest way would be using HTTP authentication. While that wouldn't go by the login+sessionid way you mentioned it would be much cleaner and more straightforward (API calls do not related on other API calls and clients do not need to expect session timeouts etc.)

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

But how do you implement that in your web server? I mean what I should do in my linux apache web server for HTTP authentication?
Nothing. You can do that purely in PHP by checking the relevant fields in the $_SERVER array and sending a 401 header if they are not present or do not match a valid user.
3

You can pass user token (and session, or any other auth data if you need it) in a json request like:

{"auth": {"session_id": "abc", "token":"123"},
 "data": "your request data"
}

If you are crazy about security you can generate a new token after each user login and even have life time for tokens.

Improve this answer

1 Comment

How does that go with RESTfullness? Doesn't it just move the problem?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.