0

I'm developing a WCF RESTful web service with C#, .NET Framework 4.0 and Entity Framework 4.4.0.0.

On a SQL Server database I have a table with users and I want to check if an user exists on that table sending login and password.

I have this URI: /users/{user_id} to GET an user using its UserId.

I think, I can do this: /users/login/{login}/password/{password} but I don't know if this is the right way to do it because login and password are public.

How can I check if exist an user with the same login and password without showing them on the URI? (Maybe, /users/login/{login}/password/{password}, this is the right way).

NOTE: the password is encrypted.

Improve this question
1
  • 1
    using username and password in the url?! don't do that! you should use post Commented Nov 11, 2013 at 12:16

2 Answers 2

Reset to default
1

If you are building a RESTful API then really it should be stateless - which means sending the user/password on each request or a token on each request.

You will need to run the site under SSL for it to be secure. Your user/password or token should be in the header. For a simple site I would recommend using Basic HTTP authentication (google it if you don't know what it is). You base64 encode the username/password and send them with each request. Have a look here:

http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service

One more thing - I may be wrong as I don't know the details of your project but I don't think you need a 'confirm' service. It sounds like you have this for the purposes of logging in. I would suggest that when a user logs in you direct them to your dashboard or landing area. If the user is not authenticated at this point then redirect to login.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your answer, but I made a mistake on my question, and this is what I want to know: How can I check if exist an user with the same login and password without showing them on the URI?
If you use basic HTTP auth you should be able to do this. You will put the username/password in the header rather than the URL
0

WCF (REST) services are supposed to be stateless. Use a different way of authentication. See User authentication for mobile clients in RESTful WCF 4 service and User/Pass Authentication using RESTful WCF & Windows Forms.

Improve this answer

2 Comments

Thanks for your answer, but I made a mistake on my question, and this is what I want to know: How can I check if exist an user with the same login and password without showing them on the URI?
Just query /users/login/{login}?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.