|
|
|
|
|
|
by kberryman
4487 days ago
|
|
|
HMac is usually the best option for this. You don't want to have to save an unknown amount of sessions as your service scales. And you don't want to have to store a password on the client device or send it across the line on every call. Hmac will allow you to check authentication as well it will allow you to verify that no one has tampered with the request packet or has tried to replay an old request with some sort of man in the middle attack. |
|
|
Then all subsequent messages to the server use HMAC for verification?
When does the user need to enter login information again?