current community

your communities

more stack exchange communities

Stack Exchange
tour help
Take the 2-minute tour ×
Programmers Stack Exchange is a question and answer site for professional programmers interested in conceptual questions about software development. It's 100% free, no registration required.
up vote 0 down vote favorite

http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API#_rating

The above link shows exactly how I want to go about authenticating against an ASP .NET Web API. It looks very easy but how safe is it in practice?

It involves creating your own encrypted token by stringing together the user's user ID and the IP address of the client being authenticated. Then authenticating that string variable using some kind of encrypting technology.

Then upon each subsequent request that is sent to the API by the same user, the API will check if the token is valid (it comes from the same client that authenticated, it has not timed out, etc.).

The token will be checked by decrypting the token and checking that the client ID that comes out of the decryption is the same as that of the requester's IP.

share|improve this question
    
not reading that url but going off your description, not very. If you want arbitrary tokens then generate non-predictable ones with a cryptographic hashing algorithm and secret information + unique information. Using predictable public information makes it so a client could decide if their information results in token X, then someone elses information might be A which they could predict resulting in token Y therefore they could predict other users tokens. Secret information is the necessity to ensure users may not predict eachothers tokens. And that doesn't even speak to nonces/MITM... –  Jimmy Hoffa Sep 10 '13 at 21:07
    
I once did something very similar for an intranet application, though I used secret information as well as public to construct my tokens. I was very unhappy that environmental limitations forced me into it, and I was shocked that it got past the security review. I wouldn't do it again, and I certainly wouldn't do it with exclusively public information, for all the reasons Jimmy gave. –  Millie Oct 6 at 2:52

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.