Please pardon my ignorance for I have almost no web development experience.
I've implemented a simple mechanism whereby I hash the user password (sent as post/get parameter) and store it in a database. After a user logs in successfully, I return the user id (PK in the database) back to client. Subsequent requests must have the user ID which is used as a primitive mechanism to validate the requests.
I've read about several mechanisms starting from simple http authentication, using a salted hash (which I'm using), implementing access tokens to the seemingly complicated OAuth authentication. Ah! and perhaps finally about https.
Leaving aside the last two, which I'm still to comprehend enough, I seem to have a very basic question to which I haven't been able to find an answer.
I'm sorry this is not a direct programming question, but the reason I ask is I cannot find an answer on google or rather am not using the correct search keywords.
Question is, given all the mechanisms of access tokens and api keys etc, even if I were to implement this mechanism but do not use https, is there any point in implementing them at all? I mean just as anyone could sniff in on my clear text password or user id, he would also be able to snoop in on the token/key and use that subsequently with malicious intent thereby rendering the whole mechanism useless. Does that mean https is the only truly secure option?
I must be missing something here, but pointers would be really appreciated.
