by devb0x on 12/2/13, 8:40 PM with 12 comments
If you have a angular or knockout front end, are you storing the login details in a cookie and passing in the header, or via a token? Where are you storing that token?
I am new to this sort of api / javascript front end and want to deal with security according to best practice.
What do you recommend?
by tptacek on 12/3/13, 8:15 PM
by jo_ on 12/2/13, 9:00 PM
It's up to the client to store the token however it likes, but our reference implementation stores it as a cookie on the local machine.
If a new request comes from an IP address which doesn't match the encrypted token, or if there are system details in the encrypted token which don't match up with the one on file (we restrict sessions to single instances), then the request is rejected.
by junto on 12/3/13, 12:19 PM
ServiceStack uses a HTTP cookie and supports a variety of authentication options out of the box, including basic auth.
https://github.com/ServiceStack/ServiceStack/wiki/Authentica...
We also use the easy hooks that ServiceStack offers to validate API developer / app tokens as well.
Social Bootstrap API is a backbone example:
https://github.com/ServiceStack/SocialBootstrapApi
https://github.com/ServiceStack/ServiceStack.Examples
http://stackoverflow.com/questions/15862634/in-what-order-ar...
It also has various other goodies, such as:
https://github.com/ServiceStack/ServiceStack/wiki/Metadata-p...
https://github.com/ServiceStack/ServiceStack/wiki/The-IoC-co...
https://github.com/ServiceStack/ServiceStack/wiki/Plugins
https://github.com/ServiceStack/ServiceStack/wiki/Clients-ov...
It also doesn't require ASP.NET and can run on Unix under Mono.
Try it, you won't go back to WebAPI is guarantee it!