So I set up this login system without using any authorization headers. Instead, I just transfer data via the body of the HTTP request, confirm said data, and then grant the user access to their personal account. The idea was to create an AJAX friendly API that could be accessed on mobile.
Am I doing anything wrong by not providing authentication via the header?
I see a possible problem with this approach.
Let's imagine that you have an XSS vulnerability in your website. If you had an authentication cookie with the session id, you could just flag it as HTTP Only and attackers will not be able to grab that session id via javascript. But since you're storing that information in your HTML body, it's completely accessible by an attacker. He just needs to grab that info from the body, send it to his evil server, and done, now he can impersonate users.
If you did it like that avoid creating cookies, mainly because you'll not have cookies in a mobile native application, you should take a look at OAuth. This will allow you to authenticate your users via tokens that you'll generate, and you'll have full-control about their life-span. And now your API consumers will only need to request a token, and after that they'll only need to send that token with their requests to be authenticated (until that token expires and then, they'll need to request a new one).
