Sunday, August 3, 2008

c# web service authorization method

I'm not an expert on this issue, but what I used in my previous project was the token method.
A token which encrypted by the client needs to be included in every message, and gets decrypted
at the server side. The server will use the decrypted message to verify user. Session is also used to
stop people from keep trying tokens.
Another Important thing is secure transfer. SSL encryption should be used and this can be done in the
IIS server. So, the publish web service should be something start with https://. This way, token won't be
stolen during the transmission.
I'm also thinking to improve the encryption carried out in the client by sending acquiring keys from the server.
The keys will be changed from time to time, and even if Token was leaked, it won't be active for long.