So feel free to not only answer this question but to throw out suggestions or improvements. I’ve never put together a large scale web application before. Here’s my thought process:

• Persistence Layer: Standard Database (MySQL right now)
• Business Logic Layer: REST-like structure (PHP, Java Servlets, etc…)
• Presentation Layer: Web Browser, Android devices (application not browser), and others

The reason I selected this architecture is so that devices can devise their own custom UI’s and tap into the REST-like functionality by using GET, POST, and what not to interact with the server.

Problem 1:

The problem is, how do you secure user’s information? You can authenticate the user over an SSL connection and return a special HASH so that the user can manipulate their account but if someone is listening on the network, all they have to do is listen for a REST call and steal the HASH. One solution is that all REST-like calls have to be over SSL, but this causes another problem.

Problem 2:

If the REST procedures are in SSL, the browser has to use SSL for everything which from my understanding can be slow and cumbersome when unnecessary. Also, SOP makes it impossible to use SSL ajax calls to the REST procedures from an unsecure browser. HTTP and HTTPS are considered different origins even though its the same origin, different protocol.

Is this solution viable? How would I solve these two problems? Or possibly (probably) is there a better architecture I should look into for my web application. Thanks in advance for all suggestions.