IDG Contributor Network: Implement HTTP authentication in Web API
In this article I would present a discussion on implementing HTTP authentication in Web API. There are two ways in which you can implement HTTP authentication in your Web Api. These include:
- Forms authentication
- Basic authentication
We wouldn't consider Windows authentication as a feasible strategy as you cannot expose your service over the Internet if you leverage Windows authentication.
Securing Web Api using Forms Authentication
Forms authentication uses the ASP.Net membership provider and uses standard HTTP cookies instead of the Authorization header. Forms authentication is not that REST-friendly as it uses cookies, and the clients would need to manage cookies to consume services that take advantage of forms authentication, which is vulnerable to cross-site forgery attacks. This is why you would need to implement CSRF measures if you use forms authentication. Forms authentication doesn't use encryption to secure the user's credentials. Hence, this is not a secure strategy unless you run your Web API over SSL.
To read this article in full or to leave a comment, please click here