0

I am building a web application and RESTful web service.

I have been reading various articles about the best way to authenticate the requests to the web service.

The best option for me seems to be to use HTTP basic authentication. Pretty much every article ive read says that authentication should be encrypted over SSL or equivalent.

Im not totally sure what this involves. Does this mean that my whole web service will have to be on a secure server? Will this slow things down?

GWed
  • 15,167
  • 5
  • 62
  • 99
  • You'll probably be interested in [this question](http://stackoverflow.com/q/14589326/372643) and its duplicates. – Bruno Feb 05 '13 at 17:21

1 Answers1

0

This really depends on how much data is being transferred and the amount of hits your service is getting. Encrypting the data will increase processing time and typically the amount of information transferred. However, if you choose basic authentication without SSL and there is a user running a packet sniffer on your network, it is almost like yelling your credentials across the room. It is possible to switch between HTTP and HTTPS by configuring your .HTACCESS if you'd like. See the link below:

Correctly switching between HTTP and HTTPS using .htaccess

Community
  • 1
  • 1
Luke Wyatt
  • 1,126
  • 2
  • 12
  • 23
  • Thanks. That was my worry. There will be a fair bit of data transferred, but i don't actually need that to be secure. Its only the authentication information that needs to be secure. – GWed Feb 05 '13 at 16:11
  • I would argue that automatic redirections between HTTP and HTTPS are generally a bad idea. It's the links that matter (as explained in details [here](http://webmasters.stackexchange.com/a/28443/11628)). – Bruno Feb 05 '13 at 16:49
  • @Bruno, good link. But I'd reword it saying not to rely entirely on re-directions instead of scrapping it. – Luke Wyatt Feb 05 '13 at 17:00
  • I'd *always* scrap them in development and testing. If your app requires requests to be changed automatically from HTTP to HTTPS, there's a big problem with the app: it should use an `https://` URL in the first place to prevent a first insecure request. Automatic redirections are only OK for cases when the end user types something manually in the address bar (like `http://example.com/myaccount` which should be turned into `https://example.com/myaccount`). – Bruno Feb 05 '13 at 17:08