Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

6
  • Why do I use GET? After some user logs in the web-service-consuming (client) application, the client program (in C++ or Java or PHP) needs to use GET method together with username and password to make a call to my Rest web service. When my REST web api receives such GET call, it will use those username and password to get data and send extra information of that user back to client application. You may notice that the "user" here is not the web service client but it is anyone who uses the client application that is written in other language (C++, Java, etc.) Commented Mar 1, 2015 at 14:23
  • "It is only your decision which crypto algorithm you choose." My providing web service is written in C# language while client (consuming) applications are written in other languages (C++, JAVA, PHP, etc). How is a certain selected crypto algorithm understood in both sides? Commented Mar 1, 2015 at 14:27
  • @Thomas.Benz // First of all, there was my misunderstanding that receiving password from server via GET. But, I think you are preparing to use basic authentication method which embeds username+password in the header while calling GET query to server. One important thing it that, you should not send password in QueryString. Just embed username+password in Http Header and the header is going to be encrypted with HTTPS. Commented Mar 2, 2015 at 6:31
  • Then, HTTPS security standards handles all of crypto handling nicely between server and client communication. It already contains to handle which crypto algorithm to use and which key is valid. For this reason, the key(certificate) for HTTPS encryption is published by authorized dealer worldwidely, called Root Certificate Authority. Commented Mar 2, 2015 at 6:37
  • How to know the algorithm? In https, the algorithm like SHA-1 or SHA-256 is designated when certificate generated by Root CA. The computer, whether it is iphone, android, or Windows server, already has a list of Root CA and security handler. It's just factory built-in. Your computer already has a bunch of Root CA list too. The client (your api clients) will assure the communication is secure by certificate-dedicated encryption algorithm when certificate is from Root publisher. Commented Mar 2, 2015 at 6:57