Home/ Questions/Q 1107971
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T02:00:43+00:00

I’m trying to make a web service secure. It’s not for a bank or

  • 0

I’m trying to make a web service secure.
It’s not for a bank or anything of that sort, but the organization using it may lose some money if the service will be used by someone not authorized (it’s hard to tell exactly how much..).

The purpose is not to allow unauthorized applications to use any method (other than “GetChallenge”. for users authentication there is a different mechanism which checks for username and password. I actually combined the two, but they serve different purposes):

So here’s what I do:
I send a (ASP.NET) session key (for everyone to read. ASP.NET’s session Is 15 randomly generated bytes, it lives for 20 minutes unless prolonged, and ASP.NET will not receive any request without it).
In my SignIn method, apart from username and password (which anyone can acquire, since it’s a part of a public site), I receive a third parameter – the session key hashed by md5 algorithm with 6 bytes as salt.
And only if the hash is correct (I’m hashing and comparing it on the server side) – I let the users sign in.
From then on in every method, I check if the user is signed in.

Added: The username and password are sent as clear text, and that’s not a problem (not the one I’m addressing at least). The problem is for someone (other than the company we’re working with) writing an application which uses my web service. The web service should only be used by an authorized application.
Also, the session id is sent back and forth with every request and response (as a part of ASP.NET session mechanism. That’s how ASP.NET knows to “track” a session specific for a user). Sorry for not clarifying that from the first place.
(irrationally thought it was obvious).

How strong and effective is that security strategy?

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Updated based on your edit and comment

    It’s pretty secure and is very similar to the approach used by Google, Facebook and others for their API keys. Except…

    Session ID plain text potential issue

    I would recommend against using Session ID as part of a security mechanism.

    The one issue is with passing the session key in plain text across the network. There is potential that this could open up some Session hijack and other attacks.

    From the Microsoft Docs:

    The SessionID is sent between the server and the browser in clear text, either in a cookie or in the URL. As a result, an unwanted source could gain access to the session of another user by obtaining the SessionID value and including it in requests to the server. If you are storing private or sensitive information in session state, it is recommended that you use SSL to encrypt any communication between the browser and server that includes the SessionID.

    As you are using the Session ID as part of your security mechanism I would say that is sensitive data.

    One way to ensure someone doesn’t get hold of your session key is to run your service on HTTPS. Personally I would avoid using the Session ID in this way and generating a non-related value instead.

    Recommended change

    Follow more closely the model used by Google and the like. Generate a new GUID for each application, store the GUID in a database on the server, pass the GUID in each request to your server from the client.

    Benfits:

    • Identifies the client application uniquely, allowing you to track and manage usage per client nicely
    • Easily disable any client by removing the GUID from your data store
    • No sensitive data on the wire

    I would still run the service on HTTPS as it’s easy to setup and gives the added benefit of protecting any other data you send to your service.

    • 0