A simple question ...

Do you control the programming on the client side I may be able to give you
a nearly bullit proff solution.

On Tue, Aug 18, 2015 at 5:14 PM, Richard Schoen <
Richard.Schoen@xxxxxxxxxxxxxxx> wrote:

Possibly something like this in concept:

Call to your API to authenticate user and create session info in table
(sessionid, actualuser, sessioncreatedtime, sessionexpirestime, sourceip
perhaps, whatever else you want to store for sesson ?)
http://1.1.1.1/webapi?action=login&uid=user&pwd=pass

Extract returned session ID from HTTP return data stream. Login call can
also be used to remove previous sessions for this user before generating
session.

I like using GUID as session IDs or some other long random string

Call to your actual API with session ID
http://1.1.1.1/webapi?action=getcust&cust=100&sid=sessionid

If a bad session ID, no data returned.

The XMLSERVICE CGI interface works similarly except I think you have to
pass user/pass with each call.

I've used this concept before and it seems to work fine.

Feel free to point out holes :-)

Have fun.

Regards,

Richard Schoen | Director of Document Management Technologies, HelpSystems
T: + 1 952-486-6802
RJS Software Systems | A Division of HelpSystems
richard.schoen@xxxxxxxxxxxxxxx
www.rjssoftware.com
Visit me on: Twitter | LinkedIn

----------------------------------------------------------------------

message: 1
date: Mon, 17 Aug 2015 19:42:23 +0200
from: "p.Caroti" <p.caroti@xxxxxxxx>
subject: [WEB400] put in safety my Rest Web Services

Hi



I have written and published some web Services to send and receive data
from App (Android and iOs) ; at this moment anybody that know System I ip
address and web service name could send and receive data from my System i.
My question is how could protect the Web Service's call . I was thinking
to a dynamic password linked to date and time passed as parameter in uri ..
Which technique do you use in this situations ?



Thanks in advance


--
This is the Web Enabling the IBM i (AS/400 and iSeries) (WEB400) mailing
list
To post a message email: WEB400@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/web400
or email: WEB400-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/web400.





As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.