Re: [orientdb] Re: Security concern - Not good to pass username:password in every HTTP transaction

Tue, 11 Mar 2014 01:32:23 -0700 

Hi,
yes HTTP is stateless, but this doesn't mean we can't had session's concept 
like 
almost all web applications do.
Sending credentials with every request is a bad idea from an operational and 
security 
point of view.
>From an operational point of view this implies that the server has to execute 
>the 
authnetication process for each request, which implies addind overhead to each 
request has compared to simply check is a session ID exists and is still valid.
>From a security point of view resending credentials with each request 
>increases the 
risk that the credentials are caught by others (even using TLS/SSL; see the 
patch 
Apple was urged to provide to fix a bug in its implementation of the TLS/SSL 
stack!), unless you take specific measures to protect them (which increase the 
processing overhead).
Ciao
   Domenico 



On 11 Mar 2014 at 1:10, Mateusz Dymczyk wrote:

REST by definition is stateless so what you are asking for isn't REST. What's 
bad with sending 
credentials with every request? 

Mateusz

On Tuesday, March 11, 2014 4:19:26 PM UTC+9, Gaurav Dhiman wrote: 
    I noted that the way OrientDB authenticate user for every HTTP access is by 
    expecting username:password encoded in base64 for every HTTP call. Isn't 
that 
    a bad idea. 

    I think, username:password should only be expected once at the time of 
login 
    (HTTP connect call). Once connect is successful, OrientDB should return 
    session ID and in consecutive call to ORientDB server that session ID 
should 
    be sent in place of username:password combination. Using sessionID OrientDB 
    should be able to fetch current logged-in user and and its details at 
server end to 
    perform specific actions.

    Can we achieve above in OrientDB (for HTTP REST calls) ?

    Regards,
    Gaurav
--

---
You received this message because you are subscribed to the Google Groups 
"OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
[email protected].
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"OrientDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to