Cross-Posted From : CodeOnFire.cThru.biz
Many JavaScript and other clients that make use of REST or other web services have to use authentication credentials to allow the end user access to those services.
There are several ways to get the credentials to the server. One popular method is using HTTP1.1 Auth, either digest or basic. The problem with this method is that it doesn’t hide your credentials from the world. Anybody listening in on your web traffic is essentially able to get your credentials from the headers.
Another method, probably more readily used by the majority, is to include login credentials in the POST or GET calls being made to web services. And that is just as exposed.
http://mywebserver.com/mywebservice/?user=admin&pass=1234
does not make for very high transport security.
SSL is really the only way to be sure that your credentials remain hidden from the rest of the world.
Server Generated Tokens for Obscuring Login Credentials
I have taken up a different tactic. It runs the following course:
