I've been playing with asp.net webapi and basic auth header (with user:pass in base 64).<p>If you have a angular or knockout front end, are you storing the login details in a cookie and passing in the header, or via a token? Where are you storing that token?<p>I am new to this sort of api / javascript front end and want to deal with security according to best practice.<p>What do you recommend?
Don't use usernames and passwords as API authentication. Generate a random 128 bit token for each user (RNGCryptoServiceProvider, GetBytes on a 16-byte array) and pass that as a header (or as Authorization). Make sure your API endpoints require HTTPS.
Speaking purely from the backend, our login function takes the IP address of the requester, the login name, and password, then checks the password against the database. If the password matches up, the current date and time, the current IP, the current time, the session expiration date, and a buttload of details about the host machine are hashed together and encrypted with the system's public key before being sent back as a token.<p>It's up to the client to store the token however it likes, but our reference implementation stores it as a cookie on the local machine.<p>If a new request comes from an IP address which doesn't match the encrypted token, or if there are system details in the encrypted token which don't match up with the one on file (we restrict sessions to single instances), then the request is rejected.
We use ServiceStack with .NET and love it.<p>ServiceStack uses a HTTP cookie and supports a variety of authentication options out of the box, including basic auth.<p><a href="https://github.com/ServiceStack/ServiceStack/wiki/Authentication-and-authorization" rel="nofollow">https://github.com/ServiceStack/ServiceStack/wiki/Authentica...</a><p>We also use the easy hooks that ServiceStack offers to validate API developer / app tokens as well.<p>Social Bootstrap API is a backbone example:<p><a href="https://github.com/ServiceStack/SocialBootstrapApi" rel="nofollow">https://github.com/ServiceStack/SocialBootstrapApi</a><p><a href="https://github.com/ServiceStack/ServiceStack.Examples" rel="nofollow">https://github.com/ServiceStack/ServiceStack.Examples</a><p><a href="http://stackoverflow.com/questions/15862634/in-what-order-are-the-servicestack-examples-supposed-to-be-grokked/15869816#15869816" rel="nofollow">http://stackoverflow.com/questions/15862634/in-what-order-ar...</a><p>It also has various other goodies, such as:<p><a href="https://github.com/ServiceStack/ServiceStack/wiki/Metadata-page" rel="nofollow">https://github.com/ServiceStack/ServiceStack/wiki/Metadata-p...</a><p><a href="https://github.com/ServiceStack/ServiceStack/wiki/The-IoC-container" rel="nofollow">https://github.com/ServiceStack/ServiceStack/wiki/The-IoC-co...</a><p><a href="https://github.com/ServiceStack/ServiceStack/wiki/Plugins" rel="nofollow">https://github.com/ServiceStack/ServiceStack/wiki/Plugins</a><p><a href="https://github.com/ServiceStack/ServiceStack/wiki/Clients-overview" rel="nofollow">https://github.com/ServiceStack/ServiceStack/wiki/Clients-ov...</a><p>It also doesn't require ASP.NET and can run on Unix under Mono.<p>Try it, you won't go back to WebAPI is guarantee it!