Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

RESTful services for user logins, What security issues should I be thinking about

login

  • Please log in to reply
12 replies to this topic

#1 mctim

mctim

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 110 posts

Posted 24 September 2012 - 12:32 PM

I'm planning on writing a web service to handle user logins which I will leverage from mobile clients(iOS and Android). My plan had been to do something pretty straight forward where when the user sends me his password and username. I would send him his user Id if there was one that matched that user ID password combo. Now this should work fine in practice, but being that I have basicaslly no knowledge covering the topic of security what sort of precautions should I be taking for my potential users to keep their information safe.
  • 0

#2 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 24 September 2012 - 02:32 PM

I would suggest you to use SOAP instead of REST ... it's a bit more coding than REST but it's better for security than REST.
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.


#3 mctim

mctim

    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 110 posts

Posted 24 September 2012 - 06:54 PM

Any suggested reading on implementing SOAP in java?

Also what are some of the reasons why I would want to use SOAP?

For just a little more information:

My plan has been to send the mobile client it's user's ID for it to save. Then everytime it went to send me data on some user activity I would just tack on the user id to the data so I could determine who performed said activity. This may be outside the scope of a java forum, but is that a bad idea? If so why?
  • 0

#4 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 25 September 2012 - 07:53 AM

In order to know why using SOAP ... you have to understand what's different between REST and SOAP. You can read more details on this site:
http://spf13.com/post/soap-vs-rest/

For soap implementation you can use KSOAP as third party ... or you can do it own your own using httpPost.

"Then everytime it went to send me data on some user activity I would just tack on the user id to the data so I could determine who performed said activity." ..

This has nothing to do with SOAP or REST ... this is the LOGICAL part on your web service ... webservice can be in any programming language such as PHP, C# ... or even JAVA.
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.


#5 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 25 September 2012 - 12:36 PM

VNFox, why do you suggest SOAP over REST, when the article you link to says that "answer is almost always REST"
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#6 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 25 September 2012 - 03:13 PM

Most of the people think so ... but read the security part ... on SOAP vs REST. SOAP is harder to implement than REST so many people are trying to avoid SOAP that's why they think it's always REST or read the author summary that may help too.
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.


#7 kernelcoder

kernelcoder

    CC Devotee

  • Expert Member
  • PipPipPipPipPipPip
  • 990 posts
  • Location:Dhaka
  • Programming Language:C, Java, C++, C#, Visual Basic .NET
  • Learning:Objective-C, PHP, Python, Delphi/Object Pascal

Posted 25 September 2012 - 05:30 PM

Most of the people think so ... but read the security part ... on SOAP vs REST. SOAP is harder to implement than REST so many people are trying to avoid SOAP that's why they think it's always REST or read the author summary that may help too.

Well, the conclusion on that blog post is that SOAP has more security than REST with its retrying mechanism, ATOMIC transaction support etc and that's why SOAP has particular scenario to use like banking transaction. Except that, REST is useful (by design) for all other scenarios. Now, VNFox, you tell us, how many banking transactions you do over internet in a day in comparison to normal browsing. I think your answer to this question will be the answer to this thread.

But in this post 'mctim' is just saying about transferring the username/pass. I think this part can be made secure in the client application side.
  • 0

#8 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 26 September 2012 - 08:23 AM

Use your common sense here ... expose username and password is okay to you? Doesn't make sense. Even you don't have banking system ... any sensitive data can be exposed is a security issue. So in conclusion, if you're concerning about security then use SOAP ... if you don't care if your data get exposed then use REST. It's just a common sense, it doesn't have to be a bank transaction.
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.


#9 Orjan

Orjan

    CC Mentor

  • Moderator
  • 2918 posts
  • Location:Karlstad, Sweden
  • Programming Language:C, Java, C++, C#, PHP, JavaScript, Pascal
  • Learning:Java, C#

Posted 26 September 2012 - 08:48 AM

Well, REST can be encrypted through SSL so there's no big difference there... You don't have to expose anything with REST either.
  • 0

I'm a System developer at XLENT Consultant Group mainly working with SugarCRM.
Please DO NOT send mail or PM to me with programming questions, post them in the appropriate forum instead, where I and others can answer you.


#10 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 26 September 2012 - 09:30 AM

well ... like i said before ... it's your choice to make a decision ... are you interested in WS-Security and HTTPS, or just HTTPS. But you should read this article:
http://blogs.msdn.co...ycle-naked.aspx
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.


#11 lespauled

lespauled

    CC Leader

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1360 posts
  • Programming Language:C, C++, C#, JavaScript, PL/SQL, Delphi/Object Pascal, Visual Basic .NET, Pascal, Transact-SQL, Bash

Posted 26 September 2012 - 11:43 AM

That article was written by Geddy Lee? :biggrin:
  • 0
My Blog: http://forum.codecal...699-blog-77241/
"Women and Music: I'm always amazed by other people's choices." - David Lee Roth

#12 VNFox

VNFox

    CC Devotee

  • Senior Member
  • PipPipPipPipPipPip
  • 648 posts
  • Programming Language:C#, PHP
  • Learning:Assembly

Posted 27 September 2012 - 10:32 AM

hmm ... not sure ... don't know who is Geddy Lee...
  • 0

www.pickmike.com
I don't just develop software. I find solutions to your business needs.






Also tagged with one or more of these keywords: login

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download