Web Service Security

We have an API that will 开发者_开发问答be only used by our new website for now. I would like to get an input how what stackoverflowers think about the security in place for this api.

1)SSL protected

2)When logging in, the user's "IP" is sent as well as user and password. The API is then attached to the session and the session token is sent back. Whenever the next call is made, the userID, session and ip are passed. Then the userID is verified with the right sessiontoken and ip and if its good then the method is carried out.

3)The webservice itself is protected to allow access only from the ip where the server is being hosted.

Thanks, Faisal Abid

I don't see why an ip address is passed. This should be pulled from the TCP socket and there for cannot be spoofed or otherwise influenced by an attacker.

The session id should be a Cryptographic Nonce and ideally you would be using a session handler already available in your platform. There is no sense in re-inventing the wheel.