Web service user authentication - storing password on client
Question
I'm working on a soap webservice that needs some basic authentication.
So the idea is to just require that all webservice methods contain a username and password parameter, and then verify that those values exist in our users database:
public String[][] someWebserviceMethod(String username, String password) throws FailedLoginException {
// Verify that user with username and password exists
//do database stuff and return data
}
This does raise a problem on the client side. After the user initially logs in to the application, we'll need to store the username and password in memory as plain text. Is that acceptable? If not what is the preferred method?
Also, my webservice will be hosted on https. Does this ensure that the password is securely encrypted when the client sends a soap request?
Edit: Would a sessionID work? I've never implemented one without a framework or web server doing it for me. Maybe something like this:
- Client sends username and password.
- If client is valid, server returns random string (sessionId).
- Server stores sessionID and timestamp in database
- Client stores the sessionID in memory, does not store password
- Client requests web method with username and sessionID
- If user with username and sessionID exists, and timestamp within timeout period, grant access and update timestamp. Else force re-login.
1 answers
solution1
-3 2019-02-04 14:53:14
Yes HTTPS - S stands for secure and it encrypts all communication. But u can always use some other encryption methods like MD5, SHA-1 and more common ones. If you are doing this for some basic training it's ok to store the data in plain text /json without any encryption, otherwise check out these hash functions:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.