Cookies are bad for you

Most web applications today use browser cookies to keep a user logged in while she is using the application. Cookies are a decades-old device and they do not stand up well to security threats that have emerged on the modern web. In particular, cookies are vulnerable to cross-site request forgery. Web applications can by made more secure by using OAuth for session authentication.

This post is based on a talk that I gave at Open Source Bridge this year. The slides for that talk are available here.

Authentication vs Authorization

I wish these two words didn’t share the same root because it surely confuses a lot of people. My most frequently-discussed example is OAuth. Every time I start talking about implementing a centralized/unified authentication system, someone jumps in and suggests that we use OAuth. The challenge is that OAuth is an authorization system, not an authentication system.

It’s tricky, because you might actually be “authenticating” yourself to website X using OAuth. What you are really doing is allowing website X to use your information stored by the OAuth provider. It is true that OAuth offers a pseudo-authentication approach via its provider but that is not the main goal of OAuth: the Auth in OAuth stands for Authorization, not Authentication.

Here is how we could briefly describe each role:

  • Authentication: recognizes who you are.
  • Authorization: know what you are allowed to do, or what you allow others to do.

Application developers are the customers of a Web API. Success is measured by how quickly app developers enjoy success using your API in their applications. And rapid adoption of a Web API is all about design. This e-book will help you make design choices from the application developer’s point of view so that the benefits of proven design principles and best practices will make your initiative a success.

Web API Design

This is brilliant eBook. Well worth the read. Well done Apigee!

Getting started with Web API, Windows Azure ACS on iOS

Here are some useful resources that I have been compiling with regards to the new ASP.NET MVC4 (RC) Web API, which provides us with a rapid, testable web API built around MVC and REST. No more WCF for web HTTP APIs!

To quote Microsoft on Web API:

ASP.NET Web API is a framework that makes it easy to build HTTP services that reach a broad range of clients, including browsers and mobile devices. ASP.NET Web API is an ideal platform for building RESTful applications on the .NET Framework.

So, a list of resources, in no particular order:

These resources are related to Windows Azure Access Control Service and security in general with Web API.

Finally, there is a iOS toolkit designed to help iOS developers work with ACS: