Security in API authentication
Posted
by Carlos
on Stack Overflow
See other posts from Stack Overflow
or by Carlos
Published on 2010-04-01T18:27:16Z
Indexed on
2010/04/01
23:53 UTC
Read the original article
Hit count: 290
We are in the process of revamping our server side API, and we need to manage security. Our current model requires that a credentials object (containing user, password, and pin) be included in each method invocation. Our development team, however, has decided that we should have session objects instead (which is fine by me), but the new credentials are just a GUID. This is very different from what I've seen in other APIs in our industry, so I'm a bit concerned about how secure the new model will be. I asked them if they had analyzed both alternatives, and they said they haven't.
Does anyone know if there're any clear advantages, disadvantages, risks, etc. of using a set of credentials versus just one element (complex as it may be)?
PS: the communication channel would be secure in either case, and it's separate from this particular topic
© Stack Overflow or respective owner