3

What are best practices when it comes to sending user credentials to stateless services (Let's say ASP.NET Web Api's).

What should be done when SSL is not an option? And is it safe to send user credentials in URL parameters (with or without SSL)?

Thanks in advance

janine doedel
  • 31
  • 6
  • 1
    SSL needs to be an option. Usually saying "SSL isn't an option" can be attributed to people being lazy, cheap, or ignorant. If someone told you that SSL isn't an option then tell them that as a result adequate security isn't an option. – Jason Dean Apr 15 '13 at 18:52
  • SSL URL parameters in the querystring are safe at the network level (aka in transit), but can be logged or remembered by the client or the receiving server. More information: http://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/ – Andrew Lewis Apr 16 '13 at 14:19

2 Answers2

2

Check this post about securing your API, it is easily readable and explains most of what you need.

About SSL not being an option, as stated in the post:

When do I use HTTPS?

Answer: whenever you don’t want information stolen from the HTTP request.

zafeiris.m
  • 4,339
  • 5
  • 28
  • 41
0
  1. Use a standard authentication (BasicAuthentication, OpenID or Oauth)
  2. Use HTTPS. Creating of self-signed certificate and enabling a server with is a very simple operation
  3. Do not pass any confidential information (also a user password) in URL parameters even with SSL. They can be logged on the way to your server
Michael
  • 10,063
  • 18
  • 65
  • 104