Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it secure to send username and password in a Json object in the body of a post request?

I am building a web application and my web server is secure, meaning that it uses an ssl cert with the front end to encrypt the connection.

When a user logs in, a JSON object which looks like this is created, and sent to the server.

{
    username:"the user's username",
    password:"the user's password"
}

On the server this is verified with a hashing algorithm that uses a salt. Once it is verified an api token is created which is valid for a certain amount of time, and is passed back and forth in the header in order to verify the user when requests are being made. Is sending the username and password like this best practice/secure, or is it better to send it in the header?

like image 488
Dan Avatar asked Jul 27 '17 08:07

Dan


People also ask

Is it safe to send password in post body?

It is quite safe but you should consider hashing the password also on the mobile app (on android/ios) before you send it to the server.

How do I pass username and password in post request?

post request is body, so I passed the string 'username=xyz&password=123' as second paramter and it worked fine. Key point is, if it's a http post request refrain from using params. Show activity on this post. It is best to use HttpParams to pass password instead of querystring concatenation of username + password.

Is a JSON file secure?

JSON alone is not much of a threat. After all, it's only a data-interchange format. The real security concerns with JSON arise in the way that it is used. If misused, JSON-based applications can become vulnerable to attacks such as JSON hijacking and JSON injection.


2 Answers

Lets divide it to many points:

1) you use a valid SSL certificate to secure the communication between the user and the server (It must be valid)

2) Sending the username and password in the body of the POST request is the best practice (Never use GET to send sensitive information such as Credentials)

3) Sending the api token in the HTTP request and response headers is the best practice (Again never use GET to send sensitive information such as session tokens)

So based on the points above, it seems that there is no risk in this implementation but you need to take the following points in your consideration:

1) The time out of the API token should be short in case of idle user. (5 ~ 15 mins are the averages based on the criticality of the application)

2) The length of the API token should be long string approx. 30 ~ 40 characters.

3) The API token generation must be randomized and hard to predict to protect from (session prediction attacks.)

Hope this help you.

like image 111
kingasmk Avatar answered Oct 08 '22 00:10

kingasmk


What you are describing is basically HTTP basic authentication.

Is sending the username and password like this best practice/secure, or is it better to send it in the header?

In security point of view I cannot think of a big difference whether you send the credentials in the body or in the header. Basically whoever manages to read the clear text message, can see the credentials in both components. The common practice when using the basic authentication is to use the HTTP header though:

Authorization: Basic VGVzdFVzZXI6UGFzc3dvcmQxMjM0

where VGVzdFVzZXI6UGFzc3dvcmQxMjM0 is your base64-encoded credentials. The decoded string in this case is: TestUser:Password1234

It is important to realize that in your case the TLS is the only protection for the credentials in transit so you must identify all the nodes in the communication channel that could potentially expose the clear message. For example if you are using proxies that would terminate the TLS, those proxies are potential vectors for MITM attacks.

If you want to increase the security for the credentials in transit, one option could be to implement asymmetric end-to-end encryption so that you would encrypt the credentials with an authenticated public key on the client-side (e.g. certificate signed by a trusted CA) and then decrypt it at the destination with the private key known only for your server. In this case you would not need to worry too much what happens to the message in-transit.

like image 10
quinz Avatar answered Oct 08 '22 00:10

quinz