Which is better, pass username/password as parameters in HTTP header or HTTP Body?

Question

I am implementing an REST server.

I am going to receive the username, requestid and password for each request from user.

I have two choice, i can ask for users to pass those three parameters in http body or in http header.

Which will be better way of implementation and why?

Thanks in advance.

Answer 1

Header!

If I understand your question, you have something that you are going to pass with every single request. That means if you want to support safe requests like GET and HEAD, you only have two choices: The HTTP headers or the URL (typically via query parameters).

Since it includes authentication information, you should avoid putting it in the URL. Other than that, you say it is encrypted and an added layer of protection would be to do it over SSL but the header and body are equally safe/vulnerable, so it makes no difference from a security standpoint.

Putting it in the header also decouples it from the application state and also from the media type, which is a good thing. If you want to support JSON, XML and XHTML forms it makes no difference to your authentication parameters.