I typically ask my questions over on StackOverflow, however this one I know would immediately get voted down as requiring someone to give their opinion, heaven forbid! I'm hoping the folks over here are a little more forgiving in this area.

I am converting a really old ColdFusion app over to .NET. This version is a stepping stone to where I'd like it to be, ie. Angular, etc. I've created all of the database interactions as .NET MVC Web Api while using client side code (jQuery AJAX) for the front end. Ideally we should be using an SSO to secure access to the API but that won't be implemented for at least another year. In the meantime, this app needs to go live yesterday and I realize it would not be smart to leave open the ability to insert records into the database by someone able to guess or discover the URL to my API.

I'd like to start simple and get more complex and secure as time permits. The reality is time is short and I can only learn so fast. There must be (maybe an old school way) a simple way to implement a token or similar method such that a) only MY web app can submit to the API and/or b) only the authenticated user can connect to the API. Suggestions?

Aeonix commented: This question for President, I'd like to know too... had hard time asking this question. +4

Recommended Answers

All 4 Replies

Here's my simple answer.

  1. Any client side script is open to explotation so you don't put any password tests there.
  2. So all your security is on your server side. The client "logs in" and for that session its for that login.
  3. About "discover the URL to my API. " That's a given. Any decent scientist can figure out the URL. That's why you have them login. That way you know who did what when and ban those that misbehave.

HI Connie. Welcome to DaniWeb! Firstly, one of the biggest differences between DaniWeb and SO is that we're an interactive community that encourages discussion. ;)

That being said, there are a lot of OAuth libraries that exist already across a wide variety of languages. I don't use .NET, but I'm sure that you should be able to get SSO working with only a few hours of work? Other than that, a second alternative, as you suggest, would be token-based. I guess the absolute simplest thing to implement would be to randomly generate a key and hard-code an encrypted version of it in a file somewhere on the server. Require a key to be passed in as a parameter or as part of the HTTP header with every request. Ensure that an encrypted version of the plaintext version passed in matches the encrypted version stored on the server. Do this check first thing on every request that comes in.

That being said, I think an existing OAuth library would be simpler and out-of-the-box. Besides, I'm a big fan of doing things right the first time so you won't have to go back and do them again later on. In other words, go the SSO route. ;)

Member Avatar

Besides, I'm a big fan of doing things right the first time so you won't have to go back and do them again later on.

Yes indeed.

commented: Most of us have done this. Client upset it's "to specification." +11

So, this reminds me of the very early days, old school, when if you wanted to be sure data submitted to your website came from a form on your site. You would pass a secret value as a form value that only you knew what that value meant.

I want to make sure that my API only accepts data via a jQuery AJAX call in a web page that came from my website. And I want to make sure that the user has previously authenticated recently. In an ideal world, SSO is the right solution but we don't have that luxury today.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.