Simple REST Authentication Strategy?

Question

I am designing a web service which can be used by multiple clients, web, mobile, 3rd party, etc. I am looking at REST as a possible solution and I am considering the case of authentication.

I am trying to keep things simple and performant. For the record, I am using Node.js.

I understand that sessions are not advised for scalability reasons.

What are the opinions of passing username and password on every request over https?

For example:

http://myservice/users/list?username=authorized&password=mypass

Are there severe disadvantages to this approach? Does it open a security hole, cross-site scripting?

Is there a better solution for a web service in general?

Answer 1

You should never use cleartext information inside URL (it can be visible in browser history, not obfuscated and also inside usual log-pattern like apache).

Instead use HTTP headers for that:

X-USER: user
X-PWD: password

The advantages:

• It is HTTP conformant (HTTP headers are used a lot for cross-cutting concerns like security or cacheing control)
• In case you use SSL (like through https) the information is encrypted

In case you don't have SSL in place you should use nonce approach. Have a look at HTTP-digest to get some ideas. In case you don't need to identify specific users (like mobile-device end-users) you can completely reuse HTTP-digest.

For security setup reuse as much as possible. It is tough to come up with a custom authentication scheme, because there are many security pitfalls.