Web - Need new user authentication system for entire web API

[dvstans]

This weakness of the web service was overlooked somehow, but the ID of the user is the only parameter needed to access the web API. This information was stored in a cookie, but users can easily modify the contents of the cookies to spoof the ID of another DataFed user. Cookies must continue to be used, but the contents must be secured. There are a number of solutions:

• Have the core service encrypt the user ID and store this in a cookie, then on each call, the core would decrypt the UID (using private keys). This approach would add loading on the core and be slow.
• Have the web server issue a local session ID (after authentication) then store this locally to the web server (memory cache) and map to a user ID. On sending messages to Core, the session ID would be used to look-up the user ID. This avoids any changes to core, but requires session management inside the core. The plus side is this scales out when many more web servers are added.

[dvstans]

This has been fixed using nodejs express-session. No user account information is exposed to the client - only a session ID. The web server maintains only what session data is needed to use the api and/or register a new user. Session data is stored in memory - may need to investigate a mechanism for flushing old session data if memory gets low (the session cookie is good for a week).