Web Service Validation

NZ_Kiwis

What is the best way of validating a user via a webservice?

My user will call a webservice to get their account details. The url will be like mysite.com/ws/getdetails/12 where 12 is the user ID.

What I was thinking was once the user logs in setting a session ID into the database and sending the session ID into the URL so it would be like mysite.com/ws/getdetails/12/fgdfgfd9sdafgsadfdsf and in the function of the webservice checking the session name against the ID.

Is there a better way of doing this?

laserlight

You could look into existing protocols like the OAuth family, e.g., if you are thinking of a session ID, perhaps you could implement OAuth 2 with HTTP bearer authentication over SSL/TLS.

NogDog

I think it depends on what you mean by "web service"? If the user is logged in, and then your web page is making AJAX requests to "web services" on your site, those requests will be sending the session ID cookie, so you're already good to go. If you're talking about some sort of session-less usage where the "user" may be a totally separate application which is sending possibly one-off cURL request to your web services, then that's another situation, where something like OAuth might be an approach, or using public/private keys, etc. (We use SAML for a lot of that kind of thing where I work.)