Reputation: 702
RESTful best practice for authentication
and thank all of you for viewing this question.
I am not sure to on how do this so i am asking for the community help on this matter. I read int his post Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant" that sessions are not "completely" advised on the REST convention, and that all authentication should be made using HTTP Basic authentication or Digest.
Ok, so far i get it.
But has far has i know, basic authentication is made on the actual server against a regular non-encrypted text file.
Would it be going against the convention, putting the username/password in the http request parameters, instead of passing them down trough the headers and letting the web server do the authentication?
This way, for every request made, the user/pass parameters would be checked and managed using my own logic. I mean using a database table, that has all the info necessary for the application.
Upvotes: 0
Views: 141
Answers (2)
Reputation: 634
The method I currently use is the first request is for a auth token via a POST method, which contains Headers of Username and Password, these are then verified against my authentication methods. If the credentials are valid, I return a time limited token. All subsequent requests must have the auth token as a header, which is checked and if valid access is allowed. I maintain the list of valid token in code and expire them as required. This is faster than having to validate the username & password on each call and is slightly safer than the username & password being passed in with each call as a token could be stolen, but it is only valid for a small period of time.
All of this this must be run under SSL otherwise the data is not secure and users credentials can be read.
Upvotes: 1
Reputation: 13682
Basic auth is handled by the server however the server chooses to handle it. There certainly doesn't have to be a plaintext file containing usernames and passwords! My current client stores passwords in a 1-way salted hash in their database. On an incoming request, the plaintext password is pulled from the header, salted, hashed, and them compared to the database value.
Putting a password in a request parameter is a really bad idea. What happens when a user copies and pastes a URL to email to their coworker?
Upvotes: 0
Related Questions
- RESTful Authentication
- RESTful API Authentication
- Should I pass Credentials via HTTP Header or Post body as JSON to REST Api?
- Authorizing REST Requests
- Restful API authentication recommendation?
- REST Authentication: put key in custom header or Authorization header?
- Designing a web api: How to authenticate?
- RESTful authentication scheme
- Multiple authentication schemes for HTTP 'Authorization' Header
- What's the preferred method for authenticating users of a webpage in a RESTful way?