I am designing a web service which can be used by multiple clients, web, mobile, 3rd party, etc. I am looking at REST as a possible solution and I am considering the case of authentication.
I am trying to keep things simple and performant. For the record, I am using Node.js.
I understand that sessions are not advised for scalability reasons.
What are the opinions of passing username and password on every request over https?
Are there severe disadvantages to this approach? Does it open a security hole, cross-site scripting?
Is there a better solution for a web service in general?
Problem courtesy of: Cliff
You should never use cleartext information inside URL (it can be visible in browser history, not obfuscated and also inside usual log-pattern like apache).
Instead use HTTP headers for that:
- It is HTTP conformant (HTTP headers are used a lot for cross-cutting concerns like security or cacheing control)
- In case you use SSL (like through https) the information is encrypted
In case you don’t have SSL in place you should use nonce approach. Have a look at HTTP-digest to get some ideas. In case you don’t need to identify specific users (like mobile-device end-users) you can completely reuse HTTP-digest.
For security setup reuse as much as possible. It is tough to come up with a custom authentication scheme, because there are many security pitfalls.
Solution courtesy of: manuel aldana