Possible Duplicate:
Types of HTTP authentication and how to design a secure database?
I have an iphone application which exchanges XML data with my server.
The first time a user runs the application , the application connects to an URL and requests a user id.
I used HTTP Basic Authentication for this thing , but with a simple web debugger(sniffer) i was able to see all the XML forms sent/received to/from my server and also the url where the user id is issued.
So what can i do to hide all this data and not be so visible with a debugger? Some people suggested to use https (http over ssl) but i see millions of sites/applications that use http for these things. Am i missing something here? What could i do to have this kind of security?
All i want is to avoid someone making a script and flood my database with trash , as everything (URLS , forms of XML files) are visible.
HTTPS is what you want to use. If you don’t use HTTPS, you are susceptible to attack.
Just because millions of sites are insecure doesn’t mean you want yours to be. It is also common for sites to use HTTPS initially, and then HTTP from there. Again though, if you truly want to be protected, use HTTPS.
Finally, HTTPS won’t protect you from someone flooding your database with trash. For that, you need good authentication, and rate limit what someone can do from a particular account.