tags:

views:

48

answers:

1
+1  Q: 

Web Service Security

We have an API that will be only used by our new website for now. I would like to get an input how what stackoverflowers think about the security in place for this api.

1)SSL protected

2)When logging in, the user's "IP" is sent as well as user and password. The API is then attached to the session and the session token is sent back. Whenever the next call is made, the userID, session and ip are passed. Then the userID is verified with the right sessiontoken and ip and if its good then the method is carried out.

3)The webservice itself is protected to allow access only from the ip where the server is being hosted.

Thanks, Faisal Abid

+1  A: 

I don't see why an ip address is passed. This should be pulled from the TCP socket and there for cannot be spoofed or otherwise influenced by an attacker.

The session id should be a Cryptographic Nonce and ideally you would be using a session handler already available in your platform. There is no sense in re-inventing the wheel.

Rook  2010-10-16 23:25:12
Well how would the Api script get the IP since the api resides on a server different then the website.
Faisal Abid  2010-10-17 01:05:51
The website makes a call to the API, essentially the website is a "client" for the api.
Faisal Abid  2010-10-17 01:06:17
@Faisal Abid but, the webserver is using the API right? Why is the client's ip address useful?
Rook  2010-10-17 02:52:55
@Rook: 1) Had you asked nicely, I would have. 2) You are now immortalized in the tomes of profanity and inexcusable grammatical negligence.
Alex  2010-10-17 02:54:01
@Alex Manners and grammar does not make you a skilled programmer or hacker.
Rook  2010-10-17 03:03:39
@Rook: You are correct; I made neither of those claims. However it seems you lack logic, which is a skill characteristic of good programmers.
Alex  2010-10-17 03:04:40
@Rook: I'm not sure which 'server' you are referring to - downvoting all my questions/answers like you are doing does not constitute hacking. On a related matter, you've been getting trolled for 20 minutes.
Alex  2010-10-17 03:14:18
@Alex i love trolls and i like speling and gramor.
Rook  2010-10-17 03:15:32

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?