I’m using Http Basic Authentication for my API access from a mobile application. Unfortunately I need to keep state internally. As the state is per session I can’t use username/password as the state key. It seems like I have to add something like a cookie, session identifier or API key. I would prefer not to add is as part of my URL but to add it to the header instead (username/password/id instead of username/password).
What would you suggest? Does this even make sense?
You might want to negotiate a session key with the web api using basic authentication the first time, and use HMAC authentication with that session key for the rest of the calls. You would assign your internal state to that session key. For HMAC authentication, you can use Hawk. I have an implementation for Hawk in .NET called Hawk.NET.