0

I am creating an authentication controller for my web api. Essentially, when a user of my app creates an account, my controller needs to receive the user's data, and the password (which is not part of the type that contains the rest of the user's data).

Only this one time is the password sent unhashed to the web api. This controller returns a hash salt to the user and he uses that for auth requests henceforth. But my problem is that I can't bind the password to the body along with the user object being created, because web api only accepts one body parameter, and the user info is going in there. So ... this leaves me with the URI for the password. Is this less secure than passing it in the body? Is there a better way to craft this request?

Thanks!

Andrew B Schultz
  • 1,512
  • 1
  • 23
  • 41

2 Answers2

1

I am not sure I understand your mechanism correctly. First of all if you are ever sending password unencrypted (eg. when user is registering) make sure you use SSL. Same applies to sending salt (to prevent dictionary attacks on user passwords).

If you dont want to send password as a part of your action parameter(s) you can always use http headers and retrieve password string using HttpRequestMessage.Headers property.

Dont know what you mean by that web api accepts only one body parameter, but remember that the object you are sending to Web API action can be complex, ie. can be composed of both user object and a password string.

Piotr Walat
  • 971
  • 7
  • 9
1

So ... this leaves me with the URI for the password.

Oh not necessary. You could use custom HTTP headers. The Cookie is one example of such request header which could be used to send the authentication token. Or an Authorization header. Or even a custom header.

In this post for example I have shown how you could use Basic Authentication with the Web API and query the Membership and Role provider.

Community
  • 1
  • 1
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928