REST authentication, Best approach

Question

Background:

We are building system that required login information for all pages. the application is designed to be Restful application using codeigniter as Phil Sturgeon library.

Scenario: - username & password is required when a user called any page [Client] - Authentication is needed where any Api call is fired

I a bit confused how to migrate or do the above scenario, And what are approach to authenticate the application.

Answer 1

A simple way to authenticate users in a RESTful API is using HTTP Basic or Digest Auth. In this setting the user credentials are sent via the Authorization header in a form of username:password as Base64 encoded hash to the server. As the principles of REST state that the communication between client and server should be stateless, the client has to sent the authorization on every request. In practice this means that you often store the credentials in a session on the client side (as you don't want to the user to enter his credentials on every request). Please note that you should only do this via an secured connection using HTTPS!

To authenticate the application you could use a token based system, such as an API-Key. This means any request would be signed using additional request parameters. If the number of applications is finite and known, you could alternatively simply identify them by their IP.

You could also take a look at OAuth.

Answer 2

Request the login and password for every page is more suitable and more secure(that what I do in my projects), using 'virtual' and stored session in the database may be a second solution but not a good because it will be an additional charge for the DB.