Securing (wcf) rest service.
-
I have been reading on how to secure a RESTful service and the more and more i read, the more and more i get confused. Basically i am required to pass 2 types of credentials: - Database credentials: login, password, host. - Store level employee credentials: 6 digit number, password. I'm thinking what i can do is have a method like:
string SignIn(string employeeNumber, string employeePassword, string login, string password, string hostName);
What i would do then is if this info validates, i can just store this info somewhere and create/return a session key. Then with subsequent calls the session key can be passed in the header. Now, let's say i have a method like:
void GetData(string id);
Is it in that method that i check to see if the session id is valid? A coworker said that if the a user (or attacker) can get inside that method then he's technically already in. So it has me thinking that i should be validating the call before the wcf runtime invokes the method. But i've seen some examples that disproves this. What are the best practices that i need to follow to secure a REST web service?
Don't be overcome by evil, but overcome evil with good