Menu
A year or so ago I asked this question: Can you help me understand this? “Common REST Mistakes: Sessions are irrelevant”. My question was essentially this:
Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle.
The answers I received made perfect sense in the context of a mobile (iPhone, Android, WP7) app - when talking to a REST service, the app would just send user credentials along with each request. That worked great for me.
But now, I would like to better understand how one would secure a REST-like website, like StackOverflow itself or something like Reddit. How would things work if it was a user logged in via a web browser instead of logged in via an iPhone app?
I'll be quite frank: my understanding of security when it comes to websites is pretty limited, I'm not a web developer (Damnit Jim, I'm a desktop developer!). I enjoyed working with REST services from an app perspective, but now I want to try and build a website that is based on REST principles, and I'm finding myself to be pretty lost.
If there is anything in the above question that is unclear that you'd like me to clarify, please leave a comment and I'll address it.
323
Any website with a log-in uses a cookie to keep you logged in on every page of the site. When you log out of that site, it clears the cookie and doesn't set it again until you login again.
RESTful API endpoints should always maintain a stateless session state, meaning everything about the session must be held at the client. Each request from the client must contain all the necessary information for the server to understand the request.
Specifying Basic Authentication in a Web RequestThe string "Basic " is added to the Authorization header of the request. The username and password are combined into a string with the format "username:password", which is then base64 encoded and added to the Authorization header of the request.
Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .
If you use a proxy like Fiddler, you can see exactly what stackoverflow does.
It connects to a resource on /users/authenticate/?s=.... which responds with two "Set-Cookie" commands in the header (gauth and usr).
Those cookies are passed in the headers of subsequent requests to stackoverflow.
I'm assuming that stackoverflow looks the keys up from those cookies to make sure you're previously authorized. When the cookie expires, you're considered logged out.
76
The real problem is that web browsers suck. Ok, so maybe I'm just bitter ;-).
If you create a website that uses one of the standard HTTP authentication mechanisms like Basic or Digest then the browser will pop open a login screen and then use those credentials on every future request.
However, most people want control over the way their login page looks, but to my knowledge if you capture login information in this way there is no way to tell the browser, hey, use these credentials in the Authentication header in future requests.
It would also be nice if there was a way to tell the browser, hey, those credentials you are using, please forget them. That would allow you to effectively logout.
The workaround as has already been suggested is to use cookies as a replacement for the Authorization header. It is not ideal, but as long as the cookie is only used to provide authentication information and not as a server side session identifier then all is good.
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
