iOS Question http basic auth question

[tufanv]

Hello,

I am using http post method the retrieve data from my server every second in my app. ( to get updated currency rates).

To add a protection to my api, I am switching to basic auth where I will protect the folder on my server and use basic auth with httputils2 to access the file. my question is, is there a problem with this technically like : I am sending post request every second to get the updated rates, I didnt have any problem with this without using auth, if i switch to basic auth, maybe it will be slower to get the data with username and password, or some requests will fail because of this check ? Is there any downside of this method while sending a request every second ?

the reason I am asking is : I track the response time with every request, without auth it was around 50ms but after auth it is arounf 150ms , on peak times when the currency moves are high, I am handling around 5000 concurrent connections on my server so if the basic auth somehow will increase the load it may crash my servers.

Thanks

 

[Erel]

By default, basic authentication requires another request. The first request is sent without the credentials.

You can add the Authorization header yourself to save the first request.
The header value should look like this:
Basic QWxhZGRpbjpPcGVuU2VzYW1l

QWxhZGRpbjpPcGVuU2VzYW1l = base64 encoding of username:password

Note that you will probably get better performance with WebSockets.

 

[tufanv]

By default, basic authentication requires another request. The first request is sent without the credentials.

You can add the Authorization header yourself to save the first request.
The header value should look like this:
Basic QWxhZGRpbjpPcGVuU2VzYW1l

QWxhZGRpbjpPcGVuU2VzYW1l = base64 encoding of username:password

Note that you will probably get better performance with WebSockets.

is this safe to send with header ? It is quite easy to decode base64 so if the header can be retrieved, userass can be taken easily ?

 

[Erel]

is this safe to send with header ?

It is always sent as a header. It is safe if you are using SSL.

 

[tufanv]

It is always sent as a header. It is safe if you are using SSL.

I tried to set :
j.GetRequest.SetHeader("key","Y2FubGlkb3ZpemawcDoqIS8vVHVmYW5WYXQxOTkk")

For the name I used a random string like "key" but Idont think it is true. I got :
java.lang.NullPointerException

the code is :

    Dim j As HttpJob
    j.Initialize("verial",Me)

  j.GetRequest.SetHeader("key","Y2FubGlkb3ZpemFwcDoqIS8vVHVmaW5WYXQxOTkk")
    j.PostString(aktifserver&datauzanti,"jeton=" &jetonana &"&sembol="&sembolstring)
    j.GetRequest.Timeout=3500

 

[JanPRO]

Hi,

the error is caused because you are trying to access the request before it was created (with PostString). For basic authentication the header should look like:

Dim j As HttpJob
j.Initialize("verial",Me)
j.PostString(aktifserver&datauzanti,"jeton=" &jetonana &"&sembol="&sembolstring)
j.GetRequest.SetHeader("Authorization","Basic <Base64String>")
j.GetRequest.Timeout=3500

However, I agree with Erel that it's probably better to use Websockets here.

Jan

 

[tufanv]

Hi,

the error is caused because you are trying to access the request before it was created (with PostString). For basic authentication the header should look like:

Dim j As HttpJob
j.Initialize("verial",Me)
j.PostString(aktifserver&datauzanti,"jeton=" &jetonana &"&sembol="&sembolstring)
j.GetRequest.SetHeader("Authorization","Basic <Base64String>")
j.GetRequest.Timeout=3500

However, I agree with Erel that it's probably better to use Websockets here.

Jan

Hello,

You are right probably. I never had a problem with http requests as long as my servers were enough but I don't have any experience with websockets. I don't know how many concurrent connections it can handle etc.. I need to do some research about it and maybe I can switch to that.