Authentication, Authorization and Session Management in Traditional Web Apps and APIs

by

HTTP Protocol is stateless by design, each request is done separately and is executed in a separate context.

The idea behind session management is to put requests from the same client in the same context. This is done by issuing an identifier by the server and sending it to the client, then the client would save this identifier and resend it in subsequent requests so the server can identify it.

Cookies

In a typical browser-server case; the browser manages a list of key/value pairs, known as cookies, for each domain:

  • Cookies can be managed by the server (created/modified/deleted) using the Set-Cookie HTTP response header.
  • Cookies can be accessed by the server (read) by parsing the Cookie HTTP request header.

Web-targeted programming languages/frameworks provide functions to deal with cookies on a higher level, for example, PHP provides setcookie/$_COOKIE to write/read cookies.

Sessions

Back to sessions, In a typical browser-server case (again), server-side session management takes advantage of client-side cookie management. PHP’s session management sets a session id cookie and use it to identify subsequent requests.

Web applications API?

Now back to your question; since you’d be the one responsible for designing the API and documenting it, the implementation would be your decision. You basically have to

  1. give the client an identifier, be it via a Set-Cookie HTTP response header, inside the response body (XML/JSON auth response).
  2. have a mechanism to maintain identifier/client association. for example a database table that associates identifier 00112233445566778899aabbccddeeff with client/user #1337.
  3. have the client resend the identifier sent to it at (1.) in all subsequent requests, be it in an HTTP Cookie request header, a ?sid=00112233445566778899aabbccddeeff param(*).
  4. lookup the received identifier, using the mechanism at (2.), check if a valid authentication, and is authorized to do requested operation, and then proceed with the operation on behalf on the auth’d user.

Of course you can build upon existing infrastructure, you can use PHP’s session management (that would take care of 1./2. and the authentication part of 4.) in your app, and require that client-side implementation do cookie management(that would take care of 3.), and then you do the rest of your app logic upon that.

(*) Each approach has cons and pros, for example, using a GET request param is easier to implement, but may have security implications, since GET requests are logged. You should use https for critical (all?) applications.

More Related Contents:

  1. REST API Authorization & Authentication (web + mobile)
  2. Authentication versus Authorization
  3. Why does AuthorizeAttribute redirect to the login page for authentication and authorization failures?
  4. How to solve flutter web api cors error only with dart code?
  5. Has Yahoo suddenly today terminated its finance download API?
  6. karate-gatling report aggregation
  7. Syntax of Keras Functional API
  8. How to use JWT in MVC application for authentication and authorization?
  9. Why can’t a Flutter application connect to the Internet when installing “app-release.apk”? But it works normally in debug mode
  10. Stock ticker symbol lookup API [closed]
  11. Token Based Authentication in ASP.NET Core (refreshed)
  12. Basic API in golang antipattern?
  13. Instagram API: How to get all user media?
  14. Sending POST request with username and password and save session cookie
  15. Yahoo! Finance CSV file will not return Dow Jones (^DJI)
  16. Set timeout for HTTPClient get() request
  17. CakePHP remember me with Auth
  18. Equivalent of define-fun in Z3 API
  19. How to retrieve ItemAttachment contents from Office 365 REST API?
  20. How can I retrieve Wiktionary word content?
  21. How can a Jenkins user authentication details be “passed” to a script which uses Jenkins API to create jobs?
  22. What is the REST (or CLI) API for logging in to Amazon Cognito user pools
  23. PHP authentication with multiple domains and subdomains
  24. aws api gateway & lambda: multiple endpoint/functions vs single endpoint
  25. How to open-source an application that uses API keys [closed]
  26. Google Maps Web site and API : different results
  27. get releases empty in github api
  28. destroy session when broswer tab closed
  29. Twitter API – Reasons for “invalid or expired token”
  30. Retrieve cover artwork using Spotify API

Leave a Comment