Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sending username and password to web service

I am developing a web service and I need to send a username and password to the service in a GET method. Is it OK to send this information in the uri as long as it's going over a secure channel like ssl? In other words, can I have a uri that looks like /users/{username}/{cleartext_password}?

Edit: Sorry, I think I was unclear. The web service is essentially just a database of usernames and hashed passwords. Imagine a desktop application that keeps usernames and passwords in a remote database. The end user types their username and password into the application and the application accesses the web service to authenticate the user.

So, the application will need to send an end user's username and plaintext password to the service. The service will take the username and password and check that the username and the hash of the password match the username and hashed password in the database. The application itself will have to authenticate before it can access the service, but I am just wondering what is the best way to send the end user's username and password to the service for authenticating the end user. I don't to use a POST method because I am simply authenticating and therefore not changing the state of the server. Sorry for the confusion.

like image 901
Jim Avatar asked May 20 '10 18:05

Jim


People also ask

How do I pass a username and password in REST API post?

The client must create a POST call and pass the user name, password, and authString in the Request headers using the /x-www-form-urlencoded content type. The AR System server then performs the normal authentication mechanisms to validate the credentials.

How do I authenticate a web service?

Implement the Web Service Access Key Then use the account's credentials, which include the user name and access key, in a web service application. For example, if you develop your own web service application, then you can design your application to programmatically pass the credentials to the web service.

What is a secure way to send credentials from client to server in an HTTP request?

Quick Answer: It is a standard practice to send "plain text" passwords over HTTPS via POST method. As we all know the communication between client-server is encrypted as per TLS, so HTTPS secures the password.

How are passwords sent securely from server to client?

This is usually overcome by encrypting the communication between the user and the server. The most common form of encryption is the Transport Layer Security (TLS) standard or the older SSL standard (Secure Socket Layer).


1 Answers

Do this.

Send a "key" and a "digest".

The "key" is equivalent to a username.

The "digest" is a SHA1 (or MD5) hash of the key, the URI and a "shared secret" or password.

When the server gets this, it computes it's own version of the digest, based on key, URI being requested and the "shared secret" or password. Failure to match digests is a 401 error response.

like image 110
S.Lott Avatar answered Oct 20 '22 22:10

S.Lott