Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How should the Web API access token be stored?

Tags:

asp.net-web-api

asp.net-web-api2

There are some similar topics here in Stackflow but I find none of them has answered my question.

ASP.NET Web API 2 is what we use now. I am now able to accept CORS authentication request from my WebAPI. With the access token sent along in the Authorization header (Bearer xxx), I am able to access the resources protected by [Authorize] tags.

The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? All we want is that the user doesn't need to log in again the next time visiting our webpage. Is the access token for one session only? How does WebAPI2 set the expiration of the token? How Can we save some info in the session or use local storage to store such authentication information? When we store this token in the client side, do we need some sort of encryption to protect it?

What is your suggestion in implementing this "Remember me" function?

like image 976
Blaise Avatar asked Nov 26 '13 18:11

Blaise

1 Answers

"The problem is, how can I implement a function similar to a "Remember me" checkbox in the regular login form? "

Save the token in the clientside localStorage when "Remember me" is checked => When the tab/browser is closed the token is still alive and next time you are automatically logged in

Save the token in the clientside session storage when "Remember me" is not checked => Everytime you close a tab/browser the session storage is cleared. Next time you check the token it does not exist. Therefore yo have to login again...

"All we want is that the user doesn't need to log in again the next time visiting our webpage."

See answer above!

Is the access token for one session only?

YES a tab in the browser is a session.

How does WebAPI2 set the expiration of the token?

You set the time when the token expires!

How Can we save some info in the session or use local storage to store such authentication information?

Only store encrypted token on client side never userid/password

When we store this token in the client side, do we need some sort of encryption to protect it?

The token is encrypted on server side then sent to the client for every request. The client does not need being able reading the token. The client must just send it with everry request thats it.

like image 158
Elisabeth Avatar answered Sep 27 '22 23:09

Elisabeth
Sign in to Comment

Related questions

MVC 5, Web API And Owin
Angular Material Datepicker returns one day before the exact date
Call web api with basic authentication always get 401 unauthorized from IIS
Namespace System.Web.Http.Results not found within asp.net web api application
WEB API Routing Error Multiple actions were found that match the request with different API paths
Log4net appenders always empty
ASP.NET Core Web API Skip Authentication
Dotnet core 2.0 Use Identity with JwtBearer Authentication
sending binary file byte array to web api method
Requesting to github-api using .net HttpClient says Forbidden
Task.ContinueWith execution order
How can I force asp.net webapi to always decode POST data as JSON
How to ignore a route in MVC4 WebAPI configuration?
Catch routing errors
Default Authorization role at Controller level and override at method
How to transform OData filter to a LINQ expression?
DELETE multiple IDs with WebAPI Delete Endpoint?
Web Api call is returning a 404 error with GUID passed as param
MVC 4 Web Api Build in x64 mode giving error while executing "Could not load file or assembly 'xxx' or one of its dependencies
Castle Windsor register an interface

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!