3

I'm sending username and password in the HTTP Body for authentication to each controller action in a Web API. I do the authentication in each controller using the username/password. It's using SSL.

Are there any security reasons why it's better to send the authentication credentials in the HTTP Header than in the HTTP body?

If I was using Basic Authentication I can see how having the credentials in the header are necessary as in this question but I'm not so I don't see the purpose. It seems just as secure in either as long as it's using SSL.

Community
  • 1
  • 1
Heinrich
  • 1,711
  • 5
  • 28
  • 61

1 Answers1

3

From an SSL perspective the security of the credentials in header (HTTP Basic auth) or body (e.g. form based logon) of an HTTP request is equal.

However if the client is a regular web browser you should consider the following:

Browsers cache the credentials used with HTTP basic authentication the users usually face the problem that for performing a log-out they would have to close their browser.

On the other side a form-based logon usually created a session cookie that is time restricted and can be deleted any time.

Robert
  • 39,162
  • 17
  • 99
  • 152
  • Native mobile apps will be using the Web API. – Heinrich Jun 05 '15 at 21:21
  • Ok, in that case it doesn't make a difference as you have full control what and if the credentials are send. – Robert Jun 06 '15 at 21:53
  • 4
    When using REST API, isn't it better to send the credentials in the header, as the server is able to authenticate the request BEFORE processing the body. Otherwise the server would process the whole body first and then authenticate the user. Therefore, an attacker could send very large requests without being authenticated. What do you think? – Theo Nov 18 '15 at 10:06
  • Considering DOS attacks, placing the authentication data in the header really makes sense. – Robert Nov 18 '15 at 12:07