2

I need to implement an authentication scheme for a RESTful architecture. From several articles which I have read include basic Authentication using HTTPs and Session management using Cookie.

However I'm not well understanding the use of cookie. What i understands is that user first sends credentials. The server checks if the credentials are Ok. If yes, the server generates an authorization token and place it in the cookie. Onwards, on each and every request, server checks the validity of the token in the cookie.

But how does the server know that the content of the cookie is valid. Does it stores it somewhere and then it compares it??

Improve this question

2 Answers 2

Reset to default
3

The key point here is the authorization token. When generating one and sending back to the client, you store the auth token along with the username in let's say a database. You store the auth token in the cookie. The client on subsequent requests sends you the username and the cookie alongwith which contains the auth token. You verify this token against the supplied username and then perform the action per need.

However, do note that settings cookies makes your webservice call stateful and defeats the purpose of REST.

To achieve authentication/authorization, instead of setting the authorization token in the cookie, send it back as a response value. The client reads the value of auth token and then supplies the same in every REST request as a parameter of request body. Thus, you won't need to set cookies. This you may term as the toned down and simpler version of what is implemented in OAuth based API access.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

When the server sends back the token to the client, the client will store it somewhere, but is this not risk?? Also, if every time we'll be transferring the token on the wire to the server, is there not a risk of someone intercepting the the request??
The client stores the token in the memory and that would be as safe as storing any other value in the memory (or the browser cookie). Transferring the token on the wire has same security issues that transferring the cookie would have (as given in the problem statement). All these limitations have been taken care of in the OAuth based API access. What it essentially implies is to sign the request paramswith the auth token using say SHA1/MD5 and include the checksum as another argument. As the server knows the auth token it can recompute the checksum and match it against the supplied one.
Thus the auth token is not transmitted back to the client. Only the username is supplied alongwith a checksum computed using the token. The only place where the token can be compromised is during the transmission from server to client during authorization - and hence, its safer to use it over HTTPS.
1

I'm not an expert, but a good starting point to understand this is the section on Sessions in Hartl's book.

If I'm not mistaken it works as follows:
When the token is created, it uses a formula, e.g. the username and a unique user key (a salt) encrypted together. Both the username and the salt are stored in the database, and the salt is unique to that user. So, as you would do to compare if passwords match, to check the validity of the cookie you recreate the token and compare it to the one in the cookie. If it matches, then the right user is logged in and therefore authorised.

Hope this helps, or at least points you in the right direction :)

Improve this answer

3 Comments

Do u think this can cause a security threat if each and every time we send the token in the cookie??
As explained above (in my comment), sending the token back again to server is definitely a security issue and should be minimized by using HTTPS protocol.
Well I don't know if I'd use it for a banking system, but if for every log in you use a unique number (e.g. the timestamp) to create the token, even if someone steals it, the system won't allow the "thief" to log on as the timestamp will be different. The method described should be secure enough for most cases. If you're a little more paranoid, try looking into saving a session in the Database instead of a cookie.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.