some advice needed
-
:confused: Hello I'm writing some server-side web services. But now i'm stuck What i have doneso far is write some code that takes username and password and validatest them useing a backend db table. If ok i return a token, just a string with a random number in it My question - what do i do next I though of putting the value in a saop header so that calling web services (the clients) can use this token to make sure the user is valid and so that the user doen't have to keep logging on. Also i need to check the token is still valid e.g. check the timestamp, if it is about to expire renew it, otherwise redirect user to a login page Does this seem plausible Any help much apreciated
-
:confused: Hello I'm writing some server-side web services. But now i'm stuck What i have doneso far is write some code that takes username and password and validatest them useing a backend db table. If ok i return a token, just a string with a random number in it My question - what do i do next I though of putting the value in a saop header so that calling web services (the clients) can use this token to make sure the user is valid and so that the user doen't have to keep logging on. Also i need to check the token is still valid e.g. check the timestamp, if it is about to expire renew it, otherwise redirect user to a login page Does this seem plausible Any help much apreciated
Hi Plork. It seems to me what do you need is session support, maybe bassed on web services, I don't know what are you trying to do. Note that with your approach, a "man in the middle" or "impersonation" attack is possible, do a little search for web security using words like XSS (cross site scripting) or hijacking web sessions. In my opinion, that problem is solved a lot, but for educational purposes, anything is feasible of course. best regards eidan