I’m working on a client- server system where the client is an iphone app that communcates with the backend via SOAP messages.
Right now the client sends the username and password in the SOAP body with each request, which isn’t good of course.
The solution to this needn’t (in fact: can’t) be too sophisticated, I just don’t want to send the username and password around too much.
Would an “okay” solution be to let the client authenticate once with username/ pw, then receive a token that is valid for say 1 hour and has to be sent with every request?
What would be the ‘best practice’ for this scenario? WS- Security?
Using security token valid for a certain period is pretty common practice. Sending credentials with each request is certainly not recommended.
you can refer following links for more details:
https://softwareengineering.stackexchange.com/questions/83037/best-practices-for-expiration-of-tokens-in-a-security-token-service-sts
https://developers.google.com/accounts/docs/MobileApps