REST user authentication

OK... the basic idea is to have SERVER and CLIENT physically separated (two systems).

My idea is to build a stand-alone web service (REST, XML, API-KEY) that will provide

  • Authentication: User login, logout
  • Data: Get list of products
  • Then I will create clients in different languages (Flash, PHP, JavaScript). Data will be served only to authenticated users.

    Tipical communication for user to get list of products will be:

  • (1 request) Login / start session
  • (1 request) Get list of products
  • (1 request) Get list of products
  • ...
  • OK... Now the problem I have is the user session. Say we want to build Javascript client, we actually have to create PHP client that will communicate with REST (PHP knows about REST API-KEY) and will forward info to Javascript (CLIENT) right? User will login through PHP to REST server right and then request data through PHP to REST server?

    Questions:

  • Now how does PHP store info about opened user session on REST server?
  • If my idea is bad, what is the right way of implementation?
  • Alternatives?

  • A RESTful interface does not store any information about a particular user's session. It is the client's job to maintain the information about what it is doing.

    Authenticate the user on every request by providing information in the Authorization HTTP header. IF this becomes a performance problem, then look at alternative solutions to optimize perf.


    To your first question: XmlHttpRequest requests to a service will still pass along cookies, which can be used to propagate a session ID. You can even (assuming the enduser's browser supports it) mark cookies as 'HttpOnly' to reduce your XSS footprint. See Jeff Atwood's article for some detail on that.


    您应该使用HTTP身份验证来进行用户身份验证,因此不需要执行任何类型的会话管理。

    链接地址: http://www.djcxy.com/p/21966.html

    上一篇: 用于Web应用程序的RESTful身份验证

    下一篇: REST用户认证