(no title)
tom9729 | 10 years ago
Basic auth is insecure (i.e. sending credentials in plaintext) and poorly supported by browsers. For example how would you handle these scenarios:
- Force users to reauthenticate after a certain period of time.
- Allow user to logout without closing their browser.
The best setup IMO is to have an HTTPS login page (form auth, hopefully with MFA) and use a session cookie. You can do server-side settings with this setup, you minimize the time when credentials are being sent (basically just once on login), and you can force your users to occasionally reauthenticate (either session timeout or manual logout) just in case they forgot to logout of a public computer.
For testing you could allow basic auth (make it configurable, or use user-agent sniffing to force browsers to use form auth).
Edit: formatting
bottled_poe|10 years ago
When used over HTTPS it is about as secure as any other web auth method.
> Force users to reauthenticate after a certain period of time.
With basic auth, there is no session. Authentication credentials are sent with each request.
> Allow user to logout without closing their browser.
There is no session. Only authenticated requests.
It's not for everyone, but I find that stateless APIs are much easier to work with.
chei0aiV|10 years ago