</div>
</div>
<div class="grid--cell mb0 mt8">Closed <span title="2011-12-28 00:04:07Z" class="relativetime">8 years ago</span>.</div>
</div>
</aside>
Possible Duplicate:
How to use Basic Auth and Jquery and Ajax
I want to use basic authentication via AJAX to a REST service. The authentication header is not my problem. My problem is how do I go about storing and retrieving the credentials that will be used in the basic authentication.
Should I be storing the username and password in a cookie when they first log in? I want the user to be able to login to the website. And once they are logged in, their web browser will download the page contents via AJAX with basic authentication from a REST service that contains their data.
I think there must be some standard way to do this. But I am having a hard time figuring out what it is.
Thanks!
</div>
I marked the question as a dupe after I figured out exactly what was being asked.
Here's an answer about how you'd roll your own Auth system, which is originally what I thought your question was about :)
If your site is visible on the Internet, HTTP Basic Auth alone will not secure your content.
You shouldn't store the username and password anywhere but inside your DB. The password should never be stored in plain text. It should be hashed, using a Salt.
When you authenticate, hash the password with the same Salt, and verify that the resulting hashes are the same.
You could also consider a pre-hash of the password (in addition to the server-side hash) so the plain-text password is never sent over the wire.
Authenticate with the username and password only once, and return a session cookie to the user.
This cookie should be used to look up which user owns the session, and when they authenticated (so the session can expire). If they've got a valid cookie that matches up to an unexpired session, you can consider them authenticated.
The remaining problems with this scheme are that it is still going to be prone to a replay attack or a man-in-the-middle attack.
You could mitigate some of this by only allowing authenticated sessions to access your site through SSL.
Another thing that could help (though not completely solve the problem) is store the IP the auth request came from in the session data, and make sure it is the same IP with each request.
If you can, I'd suggest you reuse an existing authentication system rather than rolling your own. It is a little complicated (and prone to problems), and other people have already thought through the details. I'm sure there are details I'm missing, too.