Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)

Question

I\'m designing a web site that will have a mobile companion (initally iPhone only). The web site will be an ASP.Net MVC 3 application. I\'ll also have an ASP.Net Web API site (M

Answer 1

My suggestions

1. Authentication and Authorization. Build it on 2 different servers(In some projects I have used 3 as well). Reverse proxy servers are really good with this. Authenticate on one server and authorize it on the other.

This is the most important step I think that is needed in mobile security that use Web APIs.

1. Encapsulate everything.

2. Use SSL for all secure information. In my case I use it for everything.

3. For your timestamp select a suitable time for which you can have authorization. Do not make this very short as your app will become slow or too long as network sniffers can access the packets.

If you want a 3 server architecture For your requests have an application key as well that you use to generate a access key (from Server 1). This access key will authenticate your requests which after successful authentication(from server 2) you can use that key to authorize your requests from another server(server 3)

The requests you have mentioned are standard norms. Don't really see a problem with that.