Suppose I develop a social networking site and I decide that I want the core of the application to be completely REST’ed. A user logs in with a password. Now, my question is does every request require password and login pairs (assuming that you need to provide your identity) at the end of URL like www.site.com/index.php?p=pass&l=login? I would be a little nervous about asking for that at every request. I know that I am missing something… it can’t be like that because anyone could snoop into packets and capture the password and login easily. I don’t think having all requests done in HTTPS would make sense (I read it’s taxing on resources).
So please fill in the missing part that I need to understand.
First off, unless you know that using SSL is too expensive for you, use SSL. Security comes before performance optimizations.
Now, about passing usernames and passwords: usually you have an “API access token” or the like. It’s not actually the username/password, but when someone has it they’re granted the ability to make API requests. These can have limited or unlimited validity as you like. You can even make the token a signature – the user signs the request with some key, and you validate the signature.
But yes, since each API request is independent of the last, you’re going to either have to use HTTP Basic authentication or its equivalent, or pass the API token (or other signatory device) with every request.