I am trying to secure a Web API
which will be used by a mobile app running on Android
and iOS
. The way it works now is with Basic Authentication
with SSL
, it sends the username
and password
with each request to the Web API
. I validate the credentials in the Web API
in a filter
before the action
is called. This works great. The problem is, after users login I have to store the password on the device ( Android
/ iOS
) to save the session or they will have to login all the time. This isn't secure because if the device is hacked the credentials can be accessed. I'm looking for a way to user basic authentication without storing passwords on the device.
I think the solution in this article can work but I am unclear how to make it work. In the accepted answer it says
Generate a key for each of your apps and have them pass the key in each request as a token. Your server can then verify the key and authenticate the request.
Take a look at the Basic Authentication module from the ASP.NET site. The sample uses 'basic' as the authorization scheme but you can change it use 'token' instead.
I am not clear exactly on the process here. In this example there doesn't seem to be any username/password involved even during initial login. How would the user obtain the key without logging in? Then, what exactly is the "key" referred to in the quote. That could be anything such as a Guid
? I am also not understanding how this is anymore secure than storing a username and password on the device if is hacked. The hacker could use the "key" just as the username and password correct?
that's basics of authentication, I'll explain the process in a simplfied way. Hope you understand.
Do all of this using encryption. Everything!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.