Web Service Security

Tag: web-services , security Author: zhao0814 Date: 2010-09-30

We have an API that will be only used by our new website for now. I would like to get an input how what developarkers think about the security in place for this api.

1)SSL protected

2)When logging in, the user's "IP" is sent as well as user and password. The API is then attached to the session and the session token is sent back. Whenever the next call is made, the userID, session and ip are passed. Then the userID is verified with the right sessiontoken and ip and if its good then the method is carried out.

3)The webservice itself is protected to allow access only from the ip where the server is being hosted.

Thanks, Faisal Abid

My bad, i meant "IP" :)

Best Answer

I don't see why an ip address is passed. This should be pulled from the TCP socket and there for cannot be spoofed or otherwise influenced by an attacker.

The session id should be a Cryptographic Nonce and ideally you would be using a session handler already available in your platform. There is no sense in re-inventing the wheel.

comments:

Well how would the Api script get the IP since the api resides on a server different then the website.
The website makes a call to the API, essentially the website is a "client" for the api.
@Faisal Abid but, the webserver is using the API right? Why is the client's ip address useful?
@Rook: 1) Had you asked nicely, I would have. 2) You are now immortalized in the tomes of profanity and inexcusable grammatical negligence.
@Alex Manners and grammar does not make you a skilled programmer or hacker.