ASP.Net MVC2 Securing the site via tokens and whatnot

Question

I am trying to use MVC 2 as a middle layer for my iPhone app. The basic principal here is the MVC site will expose APIs that will allow users to POST data from iPhone and GET data from sql database running behind MVC app. The MVC 2 project will facilitate to and fro logic.

I have few questions regarding that... 1. What is the best way of securing the MVC app so that only recognized iPhones can access the GET/POST methods? 2. Can I use a shared hosting account for SQL Server and start pointing my dbconnections to it? 3. Any other thoughts on best implementing this?

I am quite new to MVC but very excited about using it...

Thank you!

Answer 1

I'm not sure how much your post is actually about asp.net MVC.

Your first question is how to secure the app so that only recognized iPhones can access the GET/POST methods. This sounds more like an HTTP question and I guess it depends on your definition of "secure" and what you're trying for. You could potentially send the license key (over HTTPS I would assume) from the iPhone and authenticate that. However, there's nothing stopping someone from sharing this key or using it from a non-iPhone. You could create a hash or something on registration and then validate against that (think Windows validation), which might help, but there will always be ways around this. In short, you're not going to be able to truly test against "registered iPhones", but rather something that you define as a "registered iPhone" which could potentially be spoofed but is "good enough" for your needs.

In MVC, validation should be done at the Attribute level -- you would decorate your Actions with some sort of validation attribute. The built in one is called Authorize and works with the built in ASP.NET Membership. It doesn't sound like that's what you would want to use, so you might want to build your own attribute to validate the HTTP request yourself.

In regards to using a shared hosting account, I'm not sure the question. Are you asking if a shared hosting account will work for your needs? I don't know your needs, but shared hosting can certainly accommodate 1) ASP.NET MVC, and 2) SQL Databases.

Answer 2

This is a really high level question you are asking...

What I would do in this situation is somehow tie a unique key to the phone or user+phone (depends on how the iPhone works - can it hold multiple users?). This can be done a number of ways, but one popular way would be to have the user authenticate with your site and link their phone to their account. During this process you send a unique key down to the phone that it uses for subsequent requests.

This gives you a few things:

basic security for actions - you can validate the incoming key against a database to see that it is allowed AND

user connections - allows you to easily store user data on your site "in the cloud" and let's you instantly know who is connecting

To actually do it, you should go as statichippo suggested with the attribute. I do this to validate a user against particular actions' role requirements.

Shared hosting might work, but if your app is successful you may need more powa. Cloud hosting may be beneficial here as you will probably have peak/boom hours and low usage hours every day.