Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am building an RESTful API for an application I am working on and client coders need to be able to submit data to the API on behalf of a user. All the popular API’s I’ve used require me to send the generated session token (created when a user is logged in) for the user with a request to post information on the users behalf.
My question out of curiosity is why do these API’s require a session key and not just allow me to send the username and password again with each request?
Thanks.
The main reason is no doubt a security issue around passing sensitive data back and forth. Passing a session key means that if it is compromised it only has a limited lifespan for the attacker to use it. Also, if an attacker compromised the session key, they could not use that information to launch an attack against other websites that the user may have accounts with (and will likely use the same password).
Another reason to use the session key is that if the user changes their password whilst you are busy using the API’s you will not suddenly be locked out.