I’m building an API with no server-side authentication. A unique key (assume the key is very long and impossible to guess) will be generated for the session, but no cookie will be set on the client. The client could be a web browser with AJAX, a PHP script using CURL, or a desktop application. The normal transaction process I’m imagining will be:
Initial encounter
- The client makes an initial request, calling a start_session method
- The server generates a key and returns it along with some initial data
- The client stores the key for later use (e.g. JavaScript sets a cookie with the key)
Next request
- The client requests the server again, calling some set_data method, providing the original session key, as well as loads of private data such as a credit card number, information about legal cases, etc.
- The server responds, and the responds with a success message
Another request
- The client requests the server again, providing the original session key, and calling some get_data method
- The server responds with all of the private data in some format (e.g. XML, JSON, etc)
A session key expires, if not used, in a 20 minutes, and all API URIs will require SSL.
My concern / question is: Do I need to be worried about whether the client has leaked the session key. Without authentication, I’m trusting that the original requester to keep the session key private. Is this common / safe practice?
Unless you use HTTPS throughout, you’re vulnerable to HTTP sniffing, a la Firesheep.
Eve, if you do use SSL, if the client page isn’t SSL or contains any non-SSL Javascript (or non-SSL frames in the same domain), you’re still vulnerable (and there’s nothing you can do about it)
To answer your stated question, it completely depends on your situation.
EDIT: You should warn your clients (developers) in the documentation page to handle the key correctly.
Beyond that, it depends on the average skill level of the clients.
You should probably have a disclaimer of some sort (I am not a lawyer).
It’s probably OK.