2

I've used this tutorial to develop a simple REST service. What it takes is a string for username and then password. My plan was to simply send login info and an encrypted password using a HTTP request, and get a plain-text response saying something like "Success" to signify the log-in worked. However, I'm now reading that even with the password encrypted in some way, this is insecure.

Should I be using a RESTful @GET request for logging my users in? Could someone recommend a better way to do user log ins?

Mateusz J
  • 45
  • 1
  • 4
  • Nothing wrong here, except that you should be using HTTPS. Even if you send an encrypted password, if the rest of the request be plain text, then it will be obvious to a man in the middle where the encrypted password begins and ends, making it easier for him to hack you. Use HTTPS and the MITM will get a bunch of gibberish. – Tim Biegeleisen Apr 09 '18 at 13:58
  • Thanks Tim. Do you have any guides handy on changing the super-basic REST service I have at the moment to one that utilizes HTTPS instead of HTTP? – Mateusz J Apr 09 '18 at 14:07
  • It's easy, just replace `HttpUrlConnection` with `HttpsUrlConnection`, if you were using the former already. The topic of SSL certificates is lengthy, beyond the scope of a single SO question, but there a ton of resources on how to do this. – Tim Biegeleisen Apr 09 '18 at 14:08

1 Answers1

1

Should I be using a RESTful @GET request for logging my users in? Could someone recommend a better way to do user log ins?

If you want to follow the REST constraints, your server must be stateless, that is, no session state must be kept on the server. Every request must contain all details to be completed without depending on previous requests.

If your client requests a resource the requires authentication (and authorization), the request must contain all details to be authenticated (and authorized) by the server.

This answer should give you a good insight on what the stateless constraint is about.

The HTTP Basic authentication scheme is a good starting point for securing your API, transmitting the credentials as username and password pairs in the Authorization header, encoded with Base64:

Authorization: Basic <credentials>

Where <credentials> is computed as follows: Base64(<username>:<password>).

Credentials and otehr sensitive details must only be sent on the top of a HTTPS connection.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • 2
    @dimwittedanimal If the OP wants to keep their application stateless, following the REST constraints, the authentication details must be sent in each request. – cassiomolin Apr 09 '18 at 14:16