0

As you know for Basic HTTP authentication, in Authorization Header, Base64 is used to encode the string of the;

username:password

I don't know why HTTP really expects this, but my question is in my Rest web service. If I use a custom HTTP header which I use to keep the userid:token pairs, is that safe to not Base64 them? can I send plain text, as it is?

Note: I use HTTPS, and this is NOT a security question

Jules Sam. Randolph
  • 3,610
  • 2
  • 31
  • 50
Spring
  • 11,333
  • 29
  • 116
  • 185
  • Duplicate of http://stackoverflow.com/questions/962187/plain-text-password-over-https and http://security.stackexchange.com/questions/7057/i-just-send-username-and-password-over-https-is-this-ok and http://security.stackexchange.com/questions/988/is-basic-auth-secure-if-done-over-https – Alex Bitek Jan 03 '13 at 15:32
  • @Bad Design read question well, this is NOT a security question, the reason HTTP asks encoded headers is NOT for against hi-jacking – Spring Jan 03 '13 at 15:38

2 Answers2

7

is that safe to not Base64 them?

If you do not base64 encode them, there is a possibility that one of the text characters in the username or password is not a valid HTTP header character. You would need to study the HTTP RFC to ensure that this is not an issue for your application.

For example, does your app allow whitespace within the password? Things like that...

Or you can just base64 encode the username/password and know that you are safe from violating the HTTP protocol.

Guido Simone
  • 7,912
  • 2
  • 19
  • 21
  • tnx coudl you also look at http://stackoverflow.com/questions/14142484/http-auhtorization-header-consistency-in-requests – Spring Jan 03 '13 at 16:01
2

You can send them in plain text if you want if you're using a custom header.

However if you stick to the Basic HTTP protocol, you'll be able to use standard tools in testing, and clients won't have to add manual extra code to add the header, so I recommend not rolling your own headers if possible.

artbristol
  • 32,010
  • 5
  • 70
  • 103
  • so is that OK to use HTTP Basic header, even if I am manually managing my login with username:token pairs? no cookies, no container managed authorization, just one time token – Spring Jan 03 '13 at 15:41