One topic that I don't see addressed to any significant degree is authentication between the client and server (web service), so I was trying to come up with a concept using tokens.
1) User submits username/password via an SSL page.
2) Server authenticates user against database and if valid, generates a token (random number) and stores that along with the IP address of the client in the database.
3) Server send back token to client, client stores in session cookie.
4) All requests to web services via the client (ExtJs AJAX Requests), send along as a param the token.
5) Server checks to see if token and IP address are valid and hasn't expired, allowing call to be completed
I figure with the above mechanism, if someone were to have somehow hijacked the user's token, even if they passed it in, the IP address of the client wouldn't match, thus failing.
Does anyone see any "holes" in the above mechanism?? Any suggestions??