based authentication and web API

2018-06-14 11:12:02

I'm architecting a public web API for my service. It will be equally consumed by web pages and native mobile apps (iOS, Android and Windows 8).

Should I use cookie-based authentication? I mean, is this the best practice for this scenario?

Futher Info:
After a little research in the authentication/authorization/openId-connect field i realized that most of everything is handled by the browser, by that i mean, the redirects, coockie insertion and related "boiler-plate" stuff... when i think about all that boiler-plate that i will have to duplicate in my natives apps, i wonder if that model is the best for mobile apps. i mean, maybe theres another more mobile-native-friendly way...

Ps: i know that this is a little generic still, it's just that i'm a begginer in the field of security and i dont know how to properly express my doubts/concerns/"laziness" still...

The API itself should really be stateless, and not manage any sessions. Each request to an API should be made with the authentication details (eg OAuth token).

If the Web pages and mobile applications need to maintain some kind of session, then it should be up to them as clients of the service to maintain that state. For instance, a Web page might set a session cookie for the user, but a native mobile app might want a completely different approach.

See also: If REST applications are supposed to be stateless, how do you manage sessions?

链接地址: http://www.djcxy.com/p/41158.html

上一篇: 如何在cakephp的restful webservics中维护会话状态？

下一篇: 基于Web的认证和Web API