I am implementing a REST API authentication system.
I mainly use the method described on this site:
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
Basically, it uses the request body to create a hash, sends it to the server along with the actual request, the server recreates and compares it, and what not ...
I will not understand the details. The important part is that I use a timestamp to prevent “repeated attacks”.
A quote from the site explains:
Compare the current timestamp of the server with the timestamp sent by the client. Make sure the difference between the two timestamps within an acceptable time frame (possibly 5-15 minutes) can interfere with replay attacks.
The problem I am facing right now is that if the client’s clock setting is changed, this can lead to unexpected API authentication failures, as the timestamp varies between the client and the server .
Is there no way around this? Should I stop using timestamps?
I would really appreciate if anyone could help me with solving this problem with a timestamp or in any other way by which I can prevent repeated attacks.
Note. . I know that issuing nonce to a client is a great way to prevent "repeated attacks", but I want to do this last, because the cost of implementing the nonce-issuing-API and the backend for managing nonce are too high.
source share