I am still new to webserver stuff, learning as i go (pardon the pun). But am a bit confused how to maintain identities of users making HTTP requests without asking for the username and password every time.
My client side is actually in C# (its a computer game) and my server will recieve http requests from the application. I could send the user id after login but any one could send user id and pretend to be some one they are not so isn't this a secuity issue?
I don't particularly want to be sending user/pass all the time since that will force me to HTTPS all the time due to sensitive information.
What is the general solution for this? I presume cookies can't be done since its C# application and not a browser like Chrome etc.
I presume cookies can't be done since its C# application and not a browser like Chrome etc.
Cookies are just a header called Cookie and aren't an issue for any reasonable HTTP library.
I don't particularly want to be sending user/pass all the time since that will force me to HTTPS all the time due to sensitive information.
This is what Facebook, Twitter, and most other websites did 10 years ago. Secure login pages prevent your credentials from being stolen, but the other insecure endpoints you hit reveal whatever other information you use to authenticate. This allows your users to be impersonated by anybody monitoring your insecure connections. See Firesheep.
Since you should be securely storing your user's passwords, I would imagine verifying your user's password for every single request is slow.
If an account is guaranteed to never be used by more than one client at a time, you can just generate a random API token for each user, independent of their username and password. Otherwise, you will have to generate random session tokens when the user logs in and map them to the actual user with some sort of database. This is how most websites handle logins.
Regardless of what you do, there will be no way to prevent someone from impersonating another account if they know their secrets (username+password or session ID). This is why you have to use HTTPS and not just HTTP.
I think the typical approach for this is to use the session id: https://en.wikipedia.org/wiki/Session_ID