Geek Answers Handbook

Do I need a REST API for each request password and login?

Suppose I developed a social networking site, and I decided that I want the application core to be fully REST'ed. The user is logged in with a password. Now, my question is that each request requires passwords and login pairs (provided that you need to provide your identity) at the end of the URL, for example www.site.com/index.php?p=pass&l=login? I would be a little nervous about asking for it on every request. I know that something is missing from me ... it cannot be so, because someone can pop up in packages and easily write down the password and login. I do not think that all requests made in HTTPS would make sense (I read that it is subject to resource taxes).

So, please fill in the missing part that I need to understand.

+5
source share
3 answers

First of all, if you do not know that using SSL is too expensive for you, use SSL. Security runs until performance is optimized.

Now about passing usernames and passwords: usually you have an β€œAPI access token” or the like. This is not actually a username / password, but when someone has this, they are given the opportunity to make API requests. They may have limited or unlimited legal force. You can even make a token a signature - the user signs the request using some key, and you confirm the signature.

, API , HTTP-, , API ( ) .

+12

, , , .

- SSL , , , , ( ).

, OAuth API Flickr . .

OAuth Flickr diagram

: http://www.flickr.com/services/api/auth.oauth.html#access_token

+6

Traditional session tracking rules apply to REST, just like any other system. It’s best to make a login front, and then return the token to the client that they will give you for each request (whether in the query line, in the cookie, or whatever you have). Tokens are indexed into some server site of the data warehouse, which contains all the necessary information about the session - and, in particular, the user ID, etc.

+1
source

More articles:


All Articles