How to do Authentication between a webservice and a mobile phone?

Question

Hi

I want to make a windows mobile 6 cellphone application. This application will talk to a web service that I want to make.

I don't know must about web services and programming app for phones so I got a couple questions.

1. How do I do authentication? Like my user loads up my app and goes to the login page. They type in there credentials. This gets sent to the server and authenticated. Now what do I send back? Is there some sort of FormsAuthentication?

2. After they log in do I have to keep doing checks to see if they are logged in? Like in asp.net mvc I have AuthorizeAttributes on all my tags. That way no one can just type in the url to that action method and be able to access it. But since this is a application I not sure if they could say go your login form(first form) and then somehow without logging in get to your main form(the one after the login form).

3. Do web services have Authorize tags like asp.net mvc? Since I probably need something along those lines to ensure no one types in their web brower my webservice path and get access to all those methods I made in it.

4. I am making a asp.net mvc application right now and when the user types there credentials on my site. It is sent what I am guessing is clear text? to the server hashed and then checked. I know maybe one day when I can afford it maybe to get ssl to make it more secure.

So my question how about with sending the credentials from the phone to the server will it be less secure then what I have for my website right now? About the same? What can be done to make it more secure(is it SSL again?).

Thanks

Answer 1

i've had to address this issue several times in connecting from hand held (Windows Mobile) applications to web services. The solution i've used is to create a cookie based on a hash of the user's login name and IP address once the authentication process has succeeded. e.g. User ID and pwd matches persisted credentials on the server. You then pass this cookie back to the client which will then be passed along with all web service requests for the rest of the session. e.g. The first parameter of any web method is the cookie.

pseudocode:

string cookie = webServiceInstance.Authenticate("userName", "password");
double balance = webServiceInstance.GetBalance(cookie, someId);

Of course you do want to use SSL so as to avoid passing your user id and pwd in plain text.

Answer 2

You could also use SOAP headers to pass around user credentials or the authentication token. You can find an article on how to do this on http://www.codeproject.com/KB/cpp/authforwebservices.aspx, but to summarize, you create a header class:

using System.Web.Services.Protocols;

public class AuthHeader : SoapHeader
    {
        public string Username;
        public string Password;
    }

You define a public property on the web service

public AuthHeader AuthenticationInfo;

and add some attributes to any web methods you would like to be only accessible to authenticated users:

[SoapHeader ("AuthenticationInfo", Required=true)]
[WebMethod]
public string HelloSecretWorld()
{
    if(!(AuthenticationInfo.UserName == "Hello" && AuthenticationInfo.UserName.Password == "World"))
     throw new AuthenticationException();

    return "Hello World";
}

The client code would look like:

MyWebService ws = new MyWebService();
ws.AuthenticationInfo = new AuthHeader {Username = "Hello", Password = "World"};
Console.Out.WriteLine(ws.HelloSecretWorld());

This way you don't need to modify the signatures of the methods to add authentication.