使用会话检查客户端是否在REST API中通过了身份验证

Question

I'm implementing a REST API with authentication. I was wondering which one of these two authentication solutions make more sense:

1) Having each methods doing authentication, every time they are called

Input api /endpoint/retrieveshoes

{
    "username":"gingo",
    "password":"124",
    "shoes_type":"A"
}

2) Having a separated login method and using the session for the other methods to make sure the client is authenticated.

Input api /endpoint/login

{
    "username":"gingo",
    "password":"124"
}

Input api /endpoint/retrieveshoes

{
    "username":"gingo"
}

If I call retrieveshoes without first doing the login, I will receive the message "Invalid session".

In the solution (1) I will have instead to repeat the authentication every time I call retrieveshoes.

But I was wondering if using the session like in the case (2) is safe, even if I use HTTPS. Which one of the two solutions is safe and effective? Do you know a third one?

Answer 1

Instead of default HTTP(S) sessions, you may want to consider using a authentication token that has a certain idle expiry time. This token can be generated by sending a request, lets say, to /endpoint/login with the username and password. Then all subsequent requests can just send that token to authenticate. To make it a tad bit more secure, you may want to bind the IP of the user to the token. Although, this has some drawbacks such as anyone on the same network with the same public address can use that token or if the user changes the network, he/she may need to login again.