We have android app through which retailer can recharge customers mobile. So we need to authorize every recharge request.
To send recharge request retailer needs to hit api with recharge related information and userid and userkey. As below
[AcceptVerbs("GET")]
public IHttpActionResult Prepaid(int pUserID = -1, string pKey = "", string pCustomerNo = "", decimal pAmount = 1, int pServiceProviderId = -1, int pDeviceTypeId = -1)
We authenticate user for every api hit comparing userkey(encrypeted password) with password stored in db
This makes too many db calls and our server gets slow
Its b2b app and retailer perform different kind action like transaction history, credit request, book complaint other than just recharge
How to maintain state after user login to Android app
Well, REST by design is stateless. By adding session (or anything else of that kind) you are making it stateful and defeating any purpose of having a RESTful API.
To achieve authentication and authorization I have used following method:
While user post request from android, user send his userid and password in http authentication header and at server side we check password and if user is authorized the we process user request.
No need to maintain any state between android and web api as api are stateless.