We develop social-based applications for mobile. Every application consumes RESTful API web-services. When I implement login I usually store the username and password somewhere on device. Then I send them and as a response I get access to my profile. But I also know there's another way to do this.
One somehow generates a token with a particular algorithm, and then send it instead of the username and password to gain access.
How should I implement that? Should I send this token along with every other request than login?
Best Answer
There are several way how to implement authentication in RESTful context, and it is more safe to send only tokens instead of login/password: you could easy make tokens to be invalid by timeout or by some other criteria, and ask user to re-authenticate.
For example authentication REST requests using HMAC. In this approach, client will have public and secret keys. To all requests that require authentication, you should add publiс key, and use secret key to calculate hash of your request
Now server could identify request by public key and calculate requestHash itself. If both hashes are equal, then user is authorized.
Btw, you also have to use https to secure communication over a computer network — this will dramaticaly reduce number of possible problems.