Check if user login and password exist on server using WCF RESTful service

Question

I'm developing a WCF RESTful web service with C#, .NET Framework 4.0 and Entity Framework 4.4.0.0.

On a SQL Server database I have a table with users and I want to check if an user exists on that table sending login and password.

I have this URI: /users/{user_id} to GET an user using its UserId.

I think, I can do this: /users/login/{login}/password/{password} but I don't know if this is the right way to do it because login and password are public.

How can I check if exist an user with the same login and password without showing them on the URI? (Maybe, /users/login/{login}/password/{password}, this is the right way).

NOTE: the password is encrypted.

Answer 1

If you are building a RESTful API then really it should be stateless - which means sending the user/password on each request or a token on each request.

You will need to run the site under SSL for it to be secure. Your user/password or token should be in the header. For a simple site I would recommend using Basic HTTP authentication (google it if you don't know what it is). You base64 encode the username/password and send them with each request. Have a look here:

http://www.codeproject.com/Articles/149738/Basic-Authentication-on-a-WCF-REST-Service

One more thing - I may be wrong as I don't know the details of your project but I don't think you need a 'confirm' service. It sounds like you have this for the purposes of logging in. I would suggest that when a user logs in you direct them to your dashboard or landing area. If the user is not authenticated at this point then redirect to login.

Answer 2

WCF (REST) services are supposed to be stateless. Use a different way of authentication. See User authentication for mobile clients in RESTful WCF 4 service and User/Pass Authentication using RESTful WCF & Windows Forms.