Okay I had a discussion with my colleague and came up with the best idea so far:

好吧，我和我的同事进行了讨论，并提出了迄今为止最好的主意：

Make a simple controller in your Client Side (site) and name it as RESTAPI, it will just act as a wrapper to your actual REST Server.

在您的客户端（站点）中创建一个简单的控制器并将其命名为 RESTAPI，它将充当您实际 REST 服务器的包装器。

When a user logs into your site, his session get's created. The RESTAPI controller knows credentials to your HTTP Authed actual REST server and it hits REST Server on backbone's behalf.

当用户登录到您的站点时，他的会话就会被创建。RESTAPI 控制器知道您的 HTTP Authed 实际 REST 服务器的凭据，它代表主干访问 REST 服务器。

Example: If I have to fetch

示例：如果我必须取

/messages/sent

/消息/发送

from REST Server, now instead i'll hit this url in backbone collection

来自 REST 服务器，现在我将在主干集合中点击这个 url

site/restapi/messages/sent

站点/restapi/消息/发送

The RESTAPI Controller also first checks that the requesting user has a proper session on the site and weather he is allowed to fetch the resource or not.

RESTAPI 控制器还首先检查请求用户在站点上是否具有正确的会话以及是否允许他获取资源。

So no worries about insecure cookies or leaving your REST Server pass in plain JS or using any other obscure method :)

所以不用担心不安全的 cookie 或将你的 REST 服务器传递给纯 JS 或使用任何其他晦涩的方法:)

HTTP Basic authentication is prone to eavesdropping and man-in-the-middle attacks. It's recommended to use HTTPS.

HTTP 基本身份验证容易受到窃听和中间人攻击。推荐使用HTTPS。

However, if that's not an option you can always send a cookie back to the client and have the username/password entered there to prevent it from being displayed in the JS file. Goes without saying that the password should at least be encrypted/hashed for security reasons. Then, the onus will be on the server side to get the authentication details from the cookie.

但是，如果这不是一个选项，您可以始终将 cookie 发送回客户端并在那里输入用户名/密码以防止它显示在 JS 文件中。不言而喻，出于安全原因，密码至少应该被加密/散列。然后，服务器端有责任从 cookie 中获取身份验证详细信息。

Now, if you don't have any control on modifying the server side code, you are pretty much left with no option other than burying the credential details in a global ajaxSend()method that will send the username/password details with every AJAX request. You could just put this in some other .js file and make it hard to find, but you are pretty much restricted to that form of security. Although, cookies don't make your life any safer. (It'd be good if the password is hashed/encrypted).

现在，如果您对修改服务器端代码没有任何控制权，那么除了将凭证详细信息隐藏在一个全局ajaxSend()方法中之外，您几乎别无选择，该方法将随每个 AJAX 请求发送用户名/密码详细信息。您可以将它放在其他一些 .js 文件中并使其难以找到，但您几乎仅限于这种形式的安全性。尽管如此，cookies 并没有让你的生活更安全。（如果密码被散列/加密会很好）。

The other thing you could do is to have a slightly more complicated form of security: Have the server send a nonce back with every response - the nonce would be 'signed' by the server using the server's secret key and you can use that to 'encrypt' the username/password on the client side for every request. Your server would then have to constantly decrypt the credentials. This is less prone to man-in-the-middle but still not foolproof.

您可以做的另一件事是采用稍微复杂的安全形式：让服务器在每次响应时发送一个随机数 - 服务器将使用服务器的密钥对随机数进行“签名”，您可以使用它来“为每个请求在客户端加密'用户名/密码。然后，您的服务器必须不断解密凭据。这不太容易出现中间人，但仍然不是万无一失的。

HTTPS would save you from each of the above if it's an option for you.

如果 HTTPS 是您的一个选择，那么 HTTPS 将使您免于上述每个问题。

Hope this helps.

希望这可以帮助。

UPDATE(as per comment): The essence of restful-ness is the absence of state on the server. I.e., no sessions! Hence you need to send the user credentials with EVERY request the client makes of the server. If you have a login page then it's very hard to be truly restful since there is no 'resource' called login. However, here's what you can do:

更新（根据评论）：宁静的本质是服务器上没有状态。即，没有会话！因此，您需要在客户端向服务器发出的每个请求中发送用户凭据。如果您有一个登录页面，那么很难真正安静下来，因为没有称为登录的“资源”。但是，您可以执行以下操作：

1. User visits login page, enters credentials and clicks 'login'
2. Send POST request to server with these credentials - probably to /Login
3. Have the server return the requested resource for which authentication was needed AND set the cookie with the valid credentials to use in the 'next' request
4. Every subsequent request will be directed to the corresponding resource at a particular URL with a particular action (GET, PUT, POST, DELETE...). The server should check the authentication data from the cookie and decide if the user is authenticated and perform further authorization to grant access if the need be.

1. 用户访问登录页面，输入凭据并单击“登录”
2. 使用这些凭据将 POST 请求发送到服务器 - 可能发送到 /Login
3. 让服务器返回需要身份验证的请求资源，并使用有效凭据设置 cookie 以在“下一个”请求中使用
4. 每个后续请求都将通过特定操作（GET、PUT、POST、DELETE...）定向到特定 URL 上的相应资源。服务器应检查来自 cookie 的身份验证数据，并决定用户是否已通过身份验证，并在需要时执行进一步授权以授予访问权限。

Every request must identify itself without having the server maintain the session - that's the spirit of statelessness (and restful-ness ;)

每个请求都必须在不让服务器维护会话的情况下识别自己 - 这就是无状态（和宁静；）

If you have access to your server side REST code, you can redesign REST authentication. First time, to login you post username/password over https, in turn obtain a session id which can be used in subsequent requests passing it as cookie.

如果您有权访问服务器端 REST 代码，则可以重新设计 REST 身份验证。第一次登录时，您通过 https 发布用户名/密码，然后获取会话 ID，该 ID 可用于后续请求，将其作为 cookie 传递。