Suppose I develop a social networking site and I decide that I want the core of the application to be completely REST'ed. A user logs in with a password. Now, my question is does every request require password and login pairs (assuming that you need to provide your identity) at the end of URL like www.site.com/index.php?p=pass&l=login
? I would be a little nervous about asking for that at every request. I know that I am missing something… it can't be like that because anyone could snoop into packets and capture the password and login easily. I don't think having all requests done in HTTPS would make sense (I read it's taxing on resources).
So please fill in the missing part that I need to understand.
First off, unless you know that using SSL is too expensive for you, use SSL. Security comes before performance optimizations.
Now, about passing usernames and passwords: usually you have an "API access token" or the like. It's not actually the username/password, but when someone has it they're granted the ability to make API requests. These can have limited or unlimited validity as you like. You can even make the token a signature - the user signs the request with some key, and you validate the signature.
But yes, since each API request is independent of the last, you're going to either have to use HTTP Basic authentication or its equivalent, or pass the API token (or other signatory device) with every request.
Typically, you make a call to a login method that will generate a token that can be reused in all the next requests.
My advice is to force the use of SSL on every request, if that is not possible you should probably request a secure login and generate a temporary token for that particular session (similarly to session IDs).
You can see how OAuth is being used by the Flickr API to provide authentication in the diagram below. In this scenario, a temporary token is used to ask for a permanent token and a token secret.
Taken from: http://www.flickr.com/services/api/auth.oauth.html#access_token
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With