Ways to secure an anonymous Web API request

Question

I have a ASP.NET MVC (NOT ASP.NET Core) single page application with angular js on the front end.

My client (browser) talks to server

Answer 1

Based on answer from @Arvin and comment from @Evk, here's how I plan to proceed:

• Once, the user starts the anonymous session generate a GUID using regular Guid.NewGuid() method and save it in DB to identify the request (I'm doing this now). However, as mentioned here,

GUID can be unique but they are not cryptographically secured.

• Hence, instead of using plain-text GUID, encrypt it with current timestamp as token and append it with request query string.

• For every subsequent API request, read the token from query string, decrypt it and validate it as follows:

  • Check the timestamp. If the time difference is more than pre-defined time (i.e. token expired), reject the request

  • Validate the unique id (GUID) against DB

• Since, I'm not using plain text GUID anymore, the URI would not easy to guess.

Additionally, with the timestamp, URI is invalidated after sometime. While theoretically it is still possible to call the API through Fiddler but this should make it very difficult for the attacker, if not impossible.

• As a further security measure, I can also add Anti-Forgery token to the request

As per my understanding this helps solving my underlying problem and with this approach, I may not even need add a cookie to secure my anonymous session.

Love to hear from you all if this approach looks good and how can it be improved.