发表新帖
发表新帖

Securing REST API without reinventing the wheel

后端 未结
关注
3 1097
忘了有多久
忘了有多久 2020-12-07 08:44

When designing REST API is it common to authenticate a user first?

The typical use case I am looking for is:

  • User wants to get data. Sure cool we like
3条回答
  • 悲哀的现实
    悲哀的现实 (楼主)
    2020-12-07 08:44

    Edit 5 years later

    Use OAuth2!

    Previous version

    No, there is absolutely no need to use a cookie. It's not half as secure as HTTP Digest, OAuth or Amazon's AWS (which is not hard to copy).

    The way you should look at a cookie is that it's an authentication token as much as Basic/Digest/OAuth/whichever would be, but less appropriate.

    However, I don't feel using a cookie goes against RESTful principles per se, as long as the contents of the session cookie does not influence the contents of the resource you're returning from the server.

    Cookies are evil, stop using them.

    0 讨论(0)
 看不清?
提交回复
热议问题