Quick background:

The full Javascript SPA AngularJS client that talks to the REstful API server. I am trying to develop a better authentication server API. The client will have roles, and I don’t care if the user can see areas of the client that they are not allowed because the server must be dense.

Authentication Flow:

• User messages Username and password to say say / api / authenticate
• If the user generates an api token (sha hash from fields or md5) and some other metadata defining roles to return to 1) send a response.
• Token is stored in session cookie (no exp, http only, ssl)
• Each authentication request accepts a cookie token and checks to see if it is a user.
• SSL user on the server.

Questions:

• Is this the best way to protect a server?
• Do I need to worry about repeated attacks with SSL? If this is the best way to handle this?
• I tried to come up with a way to secure HMAC using AngularJS, but I cannot store the private key on the javascript client.
• I sent the http authentication method first, but when sending username and password, every request seems weird.

Any suggestions or examples would be appreciated.