Possibly something like this in concept:

Call to your API to authenticate user and create session info in table (sessionid, actualuser, sessioncreatedtime, sessionexpirestime, sourceip perhaps, whatever else you want to store for sesson ?)
http://1.1.1.1/webapi?action=login&uid=user&pwd=pass

Extract returned session ID from HTTP return data stream. Login call can also be used to remove previous sessions for this user before generating session.

I like using GUID as session IDs or some other long random string

Call to your actual API with session ID
http://1.1.1.1/webapi?action=getcust&cust=100&sid=sessionid

If a bad session ID, no data returned.

The XMLSERVICE CGI interface works similarly except I think you have to pass user/pass with each call.

I've used this concept before and it seems to work fine.

Feel free to point out holes :-)

Have fun.

Regards,

Richard Schoen | Director of Document Management Technologies, HelpSystems
T: + 1 952-486-6802
RJS Software Systems | A Division of HelpSystems
richard.schoen@xxxxxxxxxxxxxxx
www.rjssoftware.com
Visit me on: Twitter | LinkedIn

----------------------------------------------------------------------

message: 1
date: Mon, 17 Aug 2015 19:42:23 +0200
from: "p.Caroti" <p.caroti@xxxxxxxx>
subject: [WEB400] put in safety my Rest Web Services

Hi



I have written and published some web Services to send and receive data from App (Android and iOs) ; at this moment anybody that know System I ip address and web service name could send and receive data from my System i.
My question is how could protect the Web Service's call . I was thinking to a dynamic password linked to date and time passed as parameter in uri ..
Which technique do you use in this situations ?



Thanks in advance



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.