Simple REST Authentication Strategy?

Question

Simple REST Authentication Strategy?

I am developing a web service that can be used by several clients, a website, a mobile phone, a third-party vendor, etc. I consider REST as a possible solution, and I am considering an authentication case.

I try to keep things simple and effective. For recording, I use Node.js.

I understand that sessions are not recommended for scalability reasons.

What are the opinions on passing username and password on every request via https?

For instance:

http: // myservice / users / list? username = authorized & password = mypass

Are there any serious flaws in this approach? Does this open a security hole, crossite scripting?

Is there a better solution for web service in general?

+5

authentication rest node.js

Cliff 20 sept '11 at 12:48

source share

2 answers

nonce.

, SSL.

+1

Chris G. 20 . '11 12:51

manuel aldana · Accepted Answer · 2011-09-20T15:57:41+0000

You should not use plaintext information inside a URL (it may be visible in the browser history, not obfuscation, as well as inside a regular logarithm such as apache).

Use the HTTP headers for this instead:

X-USER: user
X-PWD: password

Benefits:

It is HTTP compatible (HTTP headers are used a lot for cross-cutting issues such as security controls or caching).
If you use SSL (for example, via https), the information is encrypted.

SSL, nonce. HTTP-, . (, ), HTTP-.

. , .

Simple REST Authentication Strategy?

More articles: