Security in API authentication

Question

We are in the process of revamping our server side API, and we need to manage security. Our current model requires that a credentials object (containing user, password, and pin) be included in each method invocation. Our development team, however, has decided that we should have session objects instead (which is fine by me), but the new credentials are just a GUID. This is very different from what I've seen in other APIs in our industry, so I'm a bit concerned about how secure the new model will be. I asked them if they had analyzed both alternatives, and they said they haven't.

Does anyone know if there're any clear advantages, disadvantages, risks, etc. of using a set of credentials versus just one element (complex as it may be)?

PS: the communication channel would be secure in either case, and it's separate from this particular topic

Answer 1

You may need to describe more about your system - is it a web app or a service, for example. If it's a web-app, and you have a secure channel to the client, then simplicity would strongly favour using the web container's session object.

Should every request be self-authenticating or not? Some of the factors that may influence your decision:

• How complex/slow is the authentication process?
• Do clients typically conduct multiple requests in a session, or do they infrequently call just a single service.
• Are there different authentication/authorization policies for different requests?
• Is it important to be able to revoke access to a client in the middle of a session?