by stephanos2k on 3/24/14, 3:14 PM with 4 comments
Are there any resources to find best practices for implementing such a system?
by chrisfarms on 3/24/14, 3:44 PM
Even tieing a session to a single source IP is not great (think stealing sessions in a coffee shop behind NAT).
Use HTTPS.
Sign requests with a MAC (message authentication code).
Make sure your tokens expire fairly quickly and you have a method to refresh them.