Where is the authentication token stored on the client side?

Question

Where is the authentication token stored on the client side?

I want to host an MVC 4 Web API project on Azure. I need to make sure that the APIs can be accessed from any third-party application and any browser. Implementing a RESTful API that just returns JSON sounds like a good idea to me. Now the biggest problem for me is the creation of an agnostic authentication mechanism. I do not want to use MemberhipProvider by default. I will use SSL. I will also not use FormsAuthentication. All API calls will be through jQuery / AJAX.

I am trying to understand token based authentication. Here is what I thought I could do: - The client sends its credentials to the user on the server via HTTPS - The server authenticates the client, creates a token, saves it in the database along with the expiration date and time and sends it to the client - The client sends the token to the server when every API access

Now the part I don’t understand, where is the client storing the token? Is it stored in a cookie? If so, where do third-party non-browser apps store the authentication token? How easy is it to steal a marker?

+5

authentication asp.net-mvc asp.net-web-api

Mark13426 Sep 06 '12 at 20:50

source share

2 answers

. .

cookie , , cookie. .

0

Sando 07 . '12 4:17

Abhijit Kadam · Accepted Answer · 2012-09-07T04:40:55+0000

cookie ASP.net . HTTP cookie. . (ssl https), . websapps - cookie , , , cookie.

API . . , . API , . Amazon AWS API, . webapi .

, .

2. API , . HMAC , .

HTTP API

Authorization: account-id  HMAC_OF_WITH_SECRET_KEY(data + account-id + GMT Date that will be in date header)

3. ( WebApi) AuthorizeAttribute WebApi. , . , HMAC. HMAC , , , . , + HMAC. , , .

, .

Where is the authentication token stored on the client side?

More articles: