Ask HN: Best way to authenticate for RESTful service?

[haomiao]

I'm building a server that allows users to control and access a web-connected sensor. The server lets the user connect to the device, change settings, and retrieve data that the sensor uploads.<p>All of the requests are stateless, so the the server does not have to maintain a session or any session state. I do however need to make sure that the user only accesses the devices and logs they are authorized to.<p>So my question is this: is it better to have every request be authenticated with the user's username and password, or should I still establish a session and use something like HMAC? What are the advantages and disadvantages of each approach?<p>Thanks!

[kberryman]

HMac is usually the best option for this. You don't want to have to save an unknown amount of sessions as your service scales. And you don't want to have to store a password on the client device or send it across the line on every call. Hmac will allow you to check authentication as well it will allow you to verify that no one has tampered with the request packet or has tried to replay an old request with some sort of man in the middle attack.

[haomiao]

Ok, is the idea that user should log in once on the client device, and the client should not store the password, encrypted or otherwise.

Then all subsequent messages to the server use HMAC for verification?

When does the user need to enter login information again?