i'm a newbie to server-side programming, so please forgive me if this gets messy. i've been contracted to create a web service to allow authenticated users to access a database. users have to enter a login and password. been reading and reading about REST vs SOAP, and i thought i'd settled on a RESTful design when i came across this statement: "Data that needs to be secure should not be sent as parameters in URIs." this seems like a major demerit against a RESTful approach. i'm aware that with https the password would be encrypted to prevent man-in-the-middle interception, but that leaves the server logs and client history as possible exposure points. is there a RESTful solution out there for this problem, or do i need to go SOAPy? any advice appreciated.
Use POST-type requests to transmit the necessary data and include the sensitive portion as a posted field so that it is part of the request body instead of a parameter within the URI.
This is a problem with configuration of your web server not with your application. Mis-configurations can lead to vulnerabilities and this is a good example of that. Web servers can also log POST requests and this is common if your Web Application Firewall detects an attack. I would make sure that logging is turned off in apache because this is probably not required for your application to run properly.
Another more common approach is to use a cookie to maintain the session. The cookie still has to be guarded with https for its entire life.
I think that to be really RESTful you should use an HTTP authentication (basic or digest), since being forced to login first insn't un the spirit of REST.
I would like to be approved (or the contrary) by someone who know REST well, thought.