If I send password in JSON over HTTPS to perform authentication is it secure? Is there a better way to do it?
In general what is the best way to send a username and password over to a server to perform authentication?
Asked
Active
Viewed 3,892 times
4
-
If I understand it correctly, you have a web service that accepts POST requests for authentication. The client is not necessarily a web browser, it could be a mobile application or desktop application? Please provide more information on what you are trying to achieve. – kazinix Aug 15 '13 at 01:56
-
Yes exactly. It is a mobile application and sends the POST request for authentication. – Ruchir Patwa Aug 15 '13 at 18:02
1 Answers
4
Generally speaking, yes, this is safe against a passive network eavesdropper, which is the primary threat one is concerned about in this sort of architecture.
If you'd prefer not to send the password in the (HTTPS-encrypted) request, you can have the server send a unique challenge string to the client. The client hashes the combination of that string with the password and then sends the hash to the server. This proves to the server that the client has the password without actually sending it. Yahoo's Login form used to work like this, for instance.
EricLaw
- 56,563
- 7
- 151
- 196