Re: [OpenBD] HTTP Authentication vs raw SSL encryption for username/password?

[Alan Holden]

I'm pretty sure that passing authentication in the headers of a plain http request (what I think you're talking about: using the username & password attributes of a CFHTTP tag - while calling a URL under the http protocol) - is no more secure than submitting a form with username and password fields in it. You probably knew that. So yeah, you're going to want to use https/ssl when calling a URL while passing username & password attributes of a CFHTTP tag; and you should expect the same of others who call your server. Just like you should use or expect https when submitting a login form. You knew that too... I think you're also asking a general API question: whether clients should authenticate up front - and use some kind of token (session in CFML lingo) from then on, or whether they should authenticate at every request. THAT depends on the nature of the services you provide, whether you're providing them to a human, another server calling on behalf of a human, or another server calling on behalf of a business. That last question (credentials in the header vs. credentials in the request body): I'll wager that the folks over at the "api-craft" Google group have discussed that a few times. I can think of one or two arguments either way. Al On 7/30/2013 6:16 PM, Jason Allen wrote: I've read people recommend using http authentication for sending usernames and passwords.  I've never been able to get excited about using it because I've always assumed I would be using a reasonably stiff SSL connection to pass the data, and as such I would just post username/password as form values like the rest of the form. Or in the case of ajax/jason I would just include the user/pass as an argument. It takes extra work to include using http authentication, and that seems unnecessary to me since I'm using SSL.  I basically don't see the pointing in forking off the credentials and adding additional lines of coding when I could just send the stuff with the rest of the data I'm already sending anyway.  Thoughts? Am I missing something?  I read this article by Ben Nadel and I still don't see the point. (He's explaining the concept for someone, not necessarily recommending it) http://www.bennadel.com/blog/1574-Ask-Ben-Manually-Enforcing-Basic-HTTP-Authorization-In-ColdFusion.htm -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en   --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to openbd+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.     -- -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en   --- You received this message because you are subscribed to the Google Groups "Open BlueDragon" group. To unsubscribe from this group and stop receiving emails from it, send an email to openbd+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.