We currently have a web app (.net MVC 5), user’s login using their username and password and then we store an encrypted value in a cookie to authenticate them on future requests.
We are now in the process of designing an API for that will be mainly used by our mobile app (will be built once the API is ready).
What I/we are trying to understand is the best way to secure requests made to the API. Our current plan is to have a simple API method that accepts a username and password, which will then validate these details and on success return a token that is unique to that user. This token will then be used on each subsequent request to authenticate.
The issue here is that if that token is stolen then someone could impersonate that user quite easily. So should we be sending back some kind of token secret that we can use to sign each request (using something like HMAC) then this can be checked on the server before allowing the request to continue?
Token over https is a time-tested and proven approach for securing a web api. If the token is stolen somehow, via an attack on ssl, it will only be valid for a short time. Consider using Thinktecture’s identity server, which has a token server built in.
https://github.com/IdentityServer/IdentityServer2
Whatever you do, resist the urge to re-imagine this problem and construct a custom solution. You are likely to introduce security holes that you won’t have community support to detect and fix.