2

I have a WCF REST file server that validates users by taking in two additional parameters, username and password, with each request. e.g., System.IO.Stream Download(string username, string password, int fileid)

I wanted to use GET for all methods, but I can't do this since I don't want the username and password visible in the address bar. Instead, I'm using POST which isn't exactly bullet proof, but still a better choice than GET in this case.

Are there any other better approaches to user validation excluding basic HTTP authentication? Preferably something that would let me use GET without having to include the usernames and passwords in the URL.

rafale
  • 1,704
  • 6
  • 29
  • 43
  • possible duplicate of [Basic Authentication with WCF REST service to something other than windows accounts?](http://stackoverflow.com/questions/660445/basic-authentication-with-wcf-rest-service-to-something-other-than-windows-accoun), but not 100% sure. – Preet Sangha Sep 11 '11 at 22:59

1 Answers1

4

Trying to hide the username and password by changing the Http Method from GET to POST has basically no added security. Even very untechnically challenged people can use just about any program to see what data is being sent to the server.

Now beyond the obvious username password issue, you could use HTTP Headers instead of QueryString parameters to pass values back to a WCF Service (RESTful). This would allow you to use the GET method and still pass the username and password without those specific values existing in the URL, but again, this is virtually no added security.

Erik Philips
  • 53,428
  • 11
  • 128
  • 150
  • 1
    Wouldn't the HTTP headers also be sent in plaintext? What advantage would they have over POST? – rafale Sep 11 '11 at 23:37
  • +1 yes there is no advantage to using HTTP headers over Post in a security context. Specifically the question asked was if there was an alternate solution to GET or POST. HTTP Headers is an alternative solution. – Erik Philips Sep 11 '11 at 23:44
  • Then I suppose encryption would be the only "proper" method of securing the user credentials. Getting back to my original question, what advantages do headers have over POST in a non-security context? – rafale Sep 11 '11 at 23:49
  • 1
    Seperation of responsibilities. It is not the responsibility of the method being invoked to know weather or not a call is validated, that should happen prior to that. So seperating authentication information from method information is preferred in this case. There are numerous applications (google calendar api and amazon services) where specific values that are not specific to call are passed in the headers instead of the querystring or post data. This is "better" for that reason, since the OP never mentioned specifics on what "better" is (programmatically, security, etc) – Erik Philips Sep 11 '11 at 23:56