Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do REST APIs require password and login at every request?

Tags:

rest

php

api

Suppose I develop a social networking site and I decide that I want the core of the application to be completely REST'ed. A user logs in with a password. Now, my question is does every request require password and login pairs (assuming that you need to provide your identity) at the end of URL like www.site.com/index.php?p=pass&l=login? I would be a little nervous about asking for that at every request. I know that I am missing something… it can't be like that because anyone could snoop into packets and capture the password and login easily. I don't think having all requests done in HTTPS would make sense (I read it's taxing on resources).

So please fill in the missing part that I need to understand.

like image 970
netrox Avatar asked Jan 29 '12 01:01

netrox

2 Answers

First off, unless you know that using SSL is too expensive for you, use SSL. Security comes before performance optimizations.

Now, about passing usernames and passwords: usually you have an "API access token" or the like. It's not actually the username/password, but when someone has it they're granted the ability to make API requests. These can have limited or unlimited validity as you like. You can even make the token a signature - the user signs the request with some key, and you validate the signature.

But yes, since each API request is independent of the last, you're going to either have to use HTTP Basic authentication or its equivalent, or pass the API token (or other signatory device) with every request.

like image 76
Borealid Avatar answered Sep 28 '22 09:09

Borealid

Typically, you make a call to a login method that will generate a token that can be reused in all the next requests.

My advice is to force the use of SSL on every request, if that is not possible you should probably request a secure login and generate a temporary token for that particular session (similarly to session IDs).

You can see how OAuth is being used by the Flickr API to provide authentication in the diagram below. In this scenario, a temporary token is used to ask for a permanent token and a token secret.

OAuth Flickr diagram

Taken from: http://www.flickr.com/services/api/auth.oauth.html#access_token

like image 39
Bruno Silva Avatar answered Sep 28 '22 09:09

Bruno Silva
Sign in to Comment

Related questions

Fastest way to insert 134675 values in remote database
MySQL select records 1 hour ago or fresher on datetime column
Problem with json_decode PHP
Subtract 6 Hours From timestamp Using PHP
$_SESSION['user_id'] is enough to check login in PHP?
Mobile or desktop browser detection and redirect to respective web page
Mysqli not installed?
Restrict direct page access
Object operator in PHP (->) [duplicate]
Why 'defined() || define()' syntax in defining a constant
PHP Should I store image paths in a database?
Countdown timer built on PHP and jQuery?
Setting up smtp on windows-7 iis-7.5
get return from echo
How can I get the CPU and Memory useage
How to handle invalid unicode with simplexml
Counter does not increment in PHP/MySQL
Catch repeat letters in PHP - Regular expressions
How do I get CustomerName from an Order?
PHP: Initiate Variable With Multiple Lines

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!