Authentication pattern for a web API exposed to an iPhone app

Question

Hi -I need to expose a web API to an iPhone app. Users will connect with Facebook (no "proprietary" user accounts, all Facebook based). Some methods will require authentication and others won't.

When users connect to Facebook from the iPhone app, the app keeps an authentication (session) cookie. My first thought is to use Windows Forms to set an authentication cookie server-side. Then, the app will be able to call the methods requiring authentication.

My question is -how could I securely set an authentication cookie server-side (after it's set in the app)? Are there any other secure patterns? Thank you.

Answer 1

Ive done this in the past by creating an ActionFilter for authorization.

public class DeviceAuthenticatedAttribute : AuthorizeAttribute {
    protected BaseIDeviceController controller;

    public override void OnAuthorization(AuthorizationContext filterContext) {
        controller = filterContext.Controller as BaseIDeviceController;
        base.OnAuthorization(filterContext);
    }

    protected override bool AuthorizeCore(System.Web.HttpContextBase httpContext) {
        if (httpContext.Request.Headers.Get("SID").IsNullOrEmpty())
            return false;

        var context = new Guid(httpContext.Request.Headers.Get("SID"));
        //code here to check if it is a valid SID in YOUR environment
        controller.PortalSession.CurrentUserId = context;
        return true;
    }
}

Then in the calls on the client side, I inject the SID into the request's header to be interrogated by this filter.

When the user originally authenticates, it sends a token to the client so it can compute the SID. Both the client and the server know how to compute the SID the same way so I check if it is identical.

Take a look at this article, I use the Device ID to compute the SID on the client and server.

http://stackoverflow.com/questions/3484097/c-create-an-auth-token-from-guid-combined-with-40char-hex-string-uuid