REST user authentication
OK... the basic idea is to have SERVER and CLIENT physically separated (two systems).
My idea is to build a stand-alone web service (REST, XML, API-KEY) that will provide
Then I will create clients in different languages (Flash, PHP, JavaScript). Data will be served only to authenticated users.
Tipical communication for user to get list of products will be:
OK... Now the problem I have is the user session. Say we want to build Javascript client, we actually have to create PHP client that will communicate with REST (PHP knows about REST API-KEY) and will forward info to Javascript (CLIENT) right? User will login through PHP to REST server right and then request data through PHP to REST server?
Questions:
A RESTful interface does not store any information about a particular user's session. It is the client's job to maintain the information about what it is doing.
Authenticate the user on every request by providing information in the Authorization HTTP header. IF this becomes a performance problem, then look at alternative solutions to optimize perf.
To your first question: XmlHttpRequest requests to a service will still pass along cookies, which can be used to propagate a session ID. You can even (assuming the enduser's browser supports it) mark cookies as 'HttpOnly' to reduce your XSS footprint. See Jeff Atwood's article for some detail on that.
您应该使用HTTP身份验证来进行用户身份验证,因此不需要执行任何类型的会话管理。
链接地址: http://www.djcxy.com/p/21966.html下一篇: REST用户认证