Let's say I write a piece of code that makes an http call to a web api, something like:
$http.get('www.myapi/api/controller/endpoint').then(function(resp){...})
I then give this code to two people that live in different cities and they hit my API from their respective houses (just from some browser). What information can my API get out of the http request that will allow me to tell apart person A and person B calling it? Is the IP always available? Is the MAC address ever available? What else is there?
How can person A pretend to be person B when calling my API?
Furthermore, what if person C calls my Web API from their own Web API (backend)? Will the same information be available, or what will be different?
This is a general question, but if you want to get specific, let's assume ASP.NET Web API 2 is receiving the http requests.
Let's say I write a piece of code that makes an http call to a web api, something like:
$http.get('www.myapi./api/controller/endpoint').then(function(resp){...})
I then give this code to two people that live in different cities and they hit my API from their respective houses (just from some browser). What information can my API get out of the http request that will allow me to tell apart person A and person B calling it? Is the IP always available? Is the MAC address ever available? What else is there?
How can person A pretend to be person B when calling my API?
Furthermore, what if person C calls my Web API from their own Web API (backend)? Will the same information be available, or what will be different?
This is a general question, but if you want to get specific, let's assume ASP.NET Web API 2 is receiving the http requests.
Share Improve this question edited Sep 28, 2016 at 2:10 VSO asked Jul 28, 2016 at 18:22 VSOVSO 12.7k28 gold badges115 silver badges201 bronze badges 5- Maybe creating two cursors, using one inside the other ? – Odonno Commented Jul 28, 2016 at 19:11
- What are you trying to acplish with this information? – mrmcgreg Commented Sep 28, 2016 at 2:15
- @mrmcgreg: Secure endpoints that don't require the user to be logged in. Or at least, give us a way to identify and lockout malicious users. For now, I am just trying to get an overall picture though. – VSO Commented Sep 28, 2016 at 2:19
- You'll have a lot of these things but they might be more or less useful for your purposes. MACs are easily spoofed and clients sharing a router will all have the same IP. – mrmcgreg Commented Sep 28, 2016 at 2:57
- You'll also have most of the same things, except for some of the browser stuff, when someone is making an API call from a backend. – mrmcgreg Commented Sep 28, 2016 at 3:18
4 Answers
Reset to default 3 +50You're describing a desire for pre-authentication.
The IP will always be available. You could restrict the service to only those IP ranges. It's not a good way to do authentication.
Trying to get around having to perform authentication is not safe. You should use a proper authentication method. Combining IP restrictions with other methods is fine.
John Meyer's answer is essentially pre-shared token based user authentication. Having a valid token constitutes being constantly logged in. The token can be promised far more easily than a typical token based user authentication that establishes a temporary token with a limited lifetime.
If you decide to go the pre-shared token route, please use a method that supports proper rotation or permutation of the token over time, such that it isn't vulnerable to replay attacks.
Your best option for this scenario is typical session-token based user authentication.
If you're actually not interested in who is using your service, only that they be uniquely identified, you can safely establish a session (or permanent, or arbitrary lifetime) cookie per user by the http Set-Cookie header that all clients should automatically respect and support, then use that as your method of tracking.
My team has acplished this by requiring that an identification header be included on all requests. This does require some customization on the part of the calling party, but does not necessarily require that the user be logged in. Of course, the value of the header could be change by malicious users so if these calls need to be very secure you will need traditional authentication.
you seem really confused about this. what you are looking for is called authentication.
as you tagged C#, i am assuming you are developing your api in C#. I remend checking Web Api.
there are a couple of authentication methods available these days. if you are developing a rest api, you can use json web tokens.
you can get a lot of information about the client calling your api via http headers.
I think you can always go with fully authenticated. I see your desire to go for a semi secured set of endpoints but I don't think any of the approach would serve you best. MAC, ip, user-agent, custom fields anything can be spoofed to be honest. Going with a bearer token or session token is your only bet here. For public apis you can limit user requests based on ip or you can try finding out whether a specific ip is trying to exploit you and thus block it but finding true identity might not be possible anyway.