I was looking at ways to perform authentication in application which primarily work out of RESTFUL APIs. I am specifically referring to MEAN stack apps. Here the backend (Node + express) and front-end (Angular) are completely decoupled and have no linkages whatsoever.
The way I am performing authentication is that 1. When the user first logs in, the server includes userid in an encrypted form in x-access-token header of HTTP message. Then on all sub-sequent requests, the server will check the request headers for the token
var token = (req.body && req.body.access_token) || parsed_url.access_token || req.headers['x-access-token'];
On the client side, I use angular interceptors to capture this header, decrypt it and then re-send it when making subsequent calls.
There is no use of cookies or sessions anywhere in this procedure (I believe this is how REST truly needs to be implemented)
This is all working for now.
But my question is, is this is the right way to do things. What are the disadvantages of using this over cookies ?
If user ID is easy to guess or enumerate (and you have to assume that the encryption method is known -- we dislike "security by obscurity"), then clients can fake encrypted user ids. More over, if anyone obtains the user id (is your traffic https?), they can do the same.
You thus have to:
If you do that, you can also send "userId" as plain, no need to encrypt.