Working on an MVC4 ApiController, not yet on the Web which I wish to secure.
I have seen the standard of passing to an MVC4 ApiController a hashed parameter starting with "Basic" and an encoded string. However, if you get right down to it, to the server there is no difference between this and sending the string in clear text. Yes, we can't read it so we don't know what the password is, but if we know what the encoded string is we have the credentials.
So yes, we need to be sending this over SSL. However, barring an SSL certificate would it make any sense to include in the hashed string some extra parameter or time stamp which changes every 2 minutes (eg SecureId) so when we are checking against the hashed value we check the last three possible values of the password plus the time?
I hate rolling my own, but it would seem like a reasonable addition to the standard.