Hi All,
I am building an RESTful API for an application I am working on and client coders need to be able to submit data to the API on behalf of a user. All the popular API's I've used require me to send the generated session token (created when a user is logged in) for the user with a request to post information on the users behalf.
My question out of curiosity is why do these API's require a session key and not just allow me to send the username and password again with each request?
Thanks.
The main reason is no doubt a security issue around passing sensitive data back and forth. Passing a session key means that if it is compromised it only has a limited lifespan for the attacker to use it. Also, if an attacker compromised the session key, they could not use that information to launch an attack against other websites that the user may have accounts with (and will likely use the same password).
Another reason to use the session key is that if the user changes their password whilst you are busy using the API's you will not suddenly be locked out.