To reduce the overhead of SSL connections between our website server and our Tessitura Web API server, I am considering using two web API clients: one that uses SSL (https) and one that is unsecured (http). I would use the secured client only for API calls that involve passwords and credit card information, and otherwise use the unsecured client. I believe that this method is sound, but I have a small concern: In the unsecured API calls, users' session keys would be exposed. However, our Tessitura Web API server only responds to calls from permitted website servers, so it seems that it would be impossible to hijack a Web API session. Does this seem correct?
Hi Bryan,
It sounds good. Are you storing the session key in a browser cookie? Have you taken a look at firesheep? A collegue mentioned I shoould look it up not too long ago. It is a firefox add in for sniffing cookies.
Are you passing the ip address when getting a session?
One thing I am doing with the site I am currently working on is making sure all the pages that are sensitive require SSL and cannot be accessed otherwise.
Jon
Hi Jon,
I store the Tess session key in the browser session (the ASP.NET session variable, in memory on the server).
Yes, I do pass the IP address (Request.UserHostAddress) to GetNewSessionKeyEx(). Does that serve any purpose aside from record-keeping?
My solution to require SSL is a user control that automatically redirects. The code looks like:
if (!Request.IsSecureConnection) { Response.Redirect(Request.Url.ToString() .Replace("http://", "https://")); }
Bryan,
Sounds good. I am using code similar to that for a couple forms I created on our main site to enforce ssl. The current site I am working I am using MVC and I am using the built in filter attributes to handle the requiring SSL.
In regards to the ip address I as just thinking it is a good idea to have it. I am not sure it is going to be anymore useful than a reference.
I think this is a really good topic.