I am building a web API that provides data for some applications.
The scenario is something like a web api hosted on Server001 with the methods GET / POST / PUT / Delete available.
In Server002 is a site in another technology, eg PHP, which will use the data that provides the API to present to your users. Websites/ios/android/wp8 other applications can also get data from my webapi (permissions web api, of course).
So I was thinking to generate secret keys for each application registered. The headers of each Get / Post will send this key, and that way I know if an application is allowed or not.
After that, I think about how a user can Login? If the user request log via PHP while in IOS APP I want to know and want to show it to him. Because Gmail does today. So I need to manage the applications and where each user is logged. How could I do this? There are ready solutions?
Is it correct to save on MemoryCache all users logged in all applications? I'm afraid if I have thousands and thousands of users connected at the same time becomes a problem?
I'm totally newbie in security and I do not want to do something now to redo it three months later.
Thank you