Restful Login - proper implementation

Question

New to RESTful services but read a lot on the subject. Implementing in VS2010 C#

Similar (nearly identical) questions have been asked and answered here on stackover

Answer 1

It is not correct to pass password in url. I have done some research on this. Firstly you should use Basic Authentication over SSL if that is possible. In the Authentication header pass the userid and password. Now as far as rest is concerned the session is not maintained in server. So you need to pass user id and password for every call. It is risky to store the password in the local storage. Hence use a POST call for first time authentication and pass userid and password. Then on return of successful authentication the server returns a tokenkey and tokenvalue. tokenkey and tokenvalue are similar to Amazon private key share initially. From next request onwards send the tokenkey and sign your data using tokenvalue. Pass the tokenkey and signature everytime. On serverend, the server verifies the signature since it has a copy of tokenvalue. tokenkey and tokenvalue can be stored locally if possible encrypted. You cannot use the tokenkey and tokenvalue forever. Hence on each request the server sends a nonce in response. This nonce is stored in database in server end and changes for every request. When you send a request to server include this nonce. The nonce is formed using timestamp. If a request is sent say after 15 mins, the nonce is decrypted and timestamp is found to be more than 15 minutes and hence you redirect him to login page. Formation of Nonce is given in http://www.ietf.org/rfc/rfc2617.txt. Once the nonce is successfully validated this nonce is discarded and and a new nonce is now sent (formed again with latest timestamp). This will also help to prevent replay attack.