Hi,
I've setup security in my RESTFUL WCF services using Custom Basic Authentification (desactivating the iis Basic Authentification and not using Windows Accounts Login; my service is host by iis) using the following link.
allen-conway-dotnet.blogspot.fr/2012/07/using-basic-authentication-in-rest.html
I understand the consumers have to implement a client to pass credentials in the request header.
It is 64bits based encoded and we can see credentials passing in firebug network tab while debugging (it is always the same string encoded <=> same credential .......)
So, in addition, to enforce security I will add SSL to encrypt the url :
https://myrestfulserviceurl/Method.
Now the consumers ask me why we don't just put the login and password in the url request i.e
https://myrestfulserviceurl/Method?login=XXX&password=YYY (also combined with SSL)
Thus i will add login and password as parameters in my Operation Contract and call a method for authentification in my method "Method".
My question is :
What is the difference (both scenarii will use ssl) between Custom Basic Authentification (credentials in request header) & simply passing credentials in url in param ?
I mean : I'm just asking myself why I do bother to implement Basic Authentification as, in both scenarii,passing credentials in url or in header look similar in passing stuff in the request.
Basic Authentification looks not more secure excepted the 64bits based encoding.
Correct me if i'm wrong.
I am just looking a reason why implementing Custom Basic Authentification.
Thanks,
Daniel
