Securing user/password for REST API

Question

I have a web service REST API on a secure ASP.NET website which requires a login to work. What is the most secure way to request the username/password programatically? (just adding a ?username=me&password=mysecret to the URL doesn't seem all that secure to me (even though this is a HTTPS connection).

Answer 1

There are several ways to achieve what you need:

• [WRONG WAY] One could pass the username and password along with the query string. In theory there is nothing wrong with this practice, but such a URL (http://example.com?username=me&password=mysecret) is usually cached by browsers, proxies, etc and thus leverage a potential risk that someone else can access to your protected data by using these stored data.
• [GOOD WAY] In order to remove "almost all" risks related to caching abilities of browsers, proxies, etc. and moreover in order to use standard features of the HTTP protocol, you have to deal with the special HTTP Authorization header.

The HTTP Authorization header :

• If you are using HTTP S connections, then you can use the Basic Access Authentication method.

The Authorization header is constructed as follows:

1. Username and password are combined into a string "username:password".

2. The resulting string literal is then encoded using Base64.

3. The authorization method and a space i.e. "Basic " is then put before the encoded string.

   For example, if the user agent uses 'Aladdin' as the username and 'open sesame' as the password then the header is formed as follows:

   Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

• If you are using HTTP connections, then you should use the Digest Access Authentication method. Because it's more complicated and useless with HTTPS connections, I let you read more about it if you want (here maybe).