Home/ Questions/Q 8852477
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T13:24:40+00:00

I have server with some resources; until now all these resources were requested through

  • 0

I have server with some resources; until now all these resources were requested through a browser by a human user, and the authentication was made with an username/password method, that generates a cookie with a token (to have the session open for some time).

Right now the system requires that other servers make GET requests to this resource server but they have to authenticate to get them. We have been using a list of authorized IPs but having two authentication methods makes the code more complex.

My questions are:

  • Is there any standard method or pattern to authenticate human users and servers using the same code?

  • If there is not, are the methods I’m using now the right ones or is there a better / more standard way to accomplish what I need?

Thanks in advance for any suggestion.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I have used a combination of basic authentication and cookies in my web services before. In basic authentication you pass the user name/password encoded in the HTTP header where it looks something like this.

    Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=

    The string after the word “Basic” is the encoded user name and password that is separated by a colon. The REST API can grab this information from the HTTP header and perform authentication and authorization. If authentication fails I return an HTTP Unauthorized error and if they are authenticated but are not authorized I return an HTTP Forbidden error to distinguish between failure to authentication versus authorization. If it is a web client and the person is authenticated then I pass the following in the HTTP header with a request.

    Authorization: Cookie

    This tells the web service to get the cookie from the HTTP request and use it for authorization instead of doing the authentication process over again.

    This will allow clients that are not web browsers to use the same techniques. The client can always use basic authentication for every request, or they can use basic authentication on the initial request and maintain cookies thereafter. This technique also works well for Single Page Applications (SPAs) where you do not have a separate login page.

    Note: Encoding the user name and password is not good enough security; you still want to use HTTPS/SSL to secure the communications channel.

    • 0