0

and thank all of you for viewing this question.

I am not sure to on how do this so i am asking for the community help on this matter. I read int his post Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant" that sessions are not "completely" advised on the REST convention, and that all authentication should be made using HTTP Basic authentication or Digest.

Ok, so far i get it.
But has far has i know, basic authentication is made on the actual server against a regular non-encrypted text file. Would it be going against the convention, putting the username/password in the http request parameters, instead of passing them down trough the headers and letting the web server do the authentication?

This way, for every request made, the user/pass parameters would be checked and managed using my own logic. I mean using a database table, that has all the info necessary for the application.

Community
  • 1
  • 1
CrazyMenConnected
  • 682
  • 5
  • 21

2 Answers2

1

The method I currently use is the first request is for a auth token via a POST method, which contains Headers of Username and Password, these are then verified against my authentication methods. If the credentials are valid, I return a time limited token. All subsequent requests must have the auth token as a header, which is checked and if valid access is allowed. I maintain the list of valid token in code and expire them as required. This is faster than having to validate the username & password on each call and is slightly safer than the username & password being passed in with each call as a token could be stolen, but it is only valid for a small period of time.

All of this this must be run under SSL otherwise the data is not secure and users credentials can be read.

sbarnby71
  • 584
  • 4
  • 7
  • 21
0

Basic auth is handled by the server however the server chooses to handle it. There certainly doesn't have to be a plaintext file containing usernames and passwords! My current client stores passwords in a 1-way salted hash in their database. On an incoming request, the plaintext password is pulled from the header, salted, hashed, and them compared to the database value.

Putting a password in a request parameter is a really bad idea. What happens when a user copies and pastes a URL to email to their coworker?

Eric Stein
  • 13,209
  • 3
  • 37
  • 52