Legacy SOAP service here at work use a token authentication. The flow is:
As first step I call the startSession method passing username (say myUser) and password (say myPWD) as parameter. At this point username/password are checked against a DB table:
+------------+-----------+---------+
| username | password | token |
+------------+-----------+---------+
| myUser | myPWD | (null) |
+------------+-----------+---------+
Since username/password matches a token is generated, stored in the database (at the same row where username and password are stored), and returned to the user that can use it for next calls:
+------------+-----------+---------+
| username | password | token |
+------------+-----------+---------+
| myUser | myPWD | myTok |
+------------+-----------+---------+
Right now, user myUser can call any method of the service simply passing a token. Both username and token are checked, if it matches the method continue, a new token is generated, stored in the DB and finally returned to the user for a new call.
I hate this behaviour and I’m searching for a more reliable approach. I would:
– Do not store (fully) token in a database
– Do not use external library (unless it is a really minimal library)
– New token for every method calls
Any ideas?