tags:

views:

818

answers:

4
+1  Q: 

REST user authentication

OK... the basic idea is to have SERVER and CLIENT physically separated (two systems).

My idea is to build a stand-alone web service (REST, XML, API-KEY) that will provide

  1. Authentication: User login, logout
  2. Data: Get list of products

Then I will create clients in different languages (Flash, PHP, JavaScript). Data will be served only to authenticated users.

Tipical communication for user to get list of products will be:

  1. (1 request) Login / start session
  2. (1 request) Get list of products
  3. (1 request) Get list of products
  4. ...

OK... Now the problem I have is the user session. Say we want to build Javascript client, we actually have to create PHP client that will communicate with REST (PHP knows about REST API-KEY) and will forward info to Javascript (CLIENT) right? User will login through PHP to REST server right and then request data through PHP to REST server?

Questions:

  • Now how does PHP store info about opened user session on REST server?
  • If my idea is bad, what is the right way of implementation?
  • Alternatives?
+1  A: 

You should probably use HTTP authentication for the user auth, and so not need to do any sort of session management.

Ciaran McNulty  2009-09-21 09:47:20
A: 

You don't need PHP to store an API-KEY if you make your client classes in javascript smart enough to append the API-KEY (loaded when logging in) into the headers of each XmlHttpRequest your class will spawn.

Also it might be good to note that API-KEY does not necessary mean authentication key.

Martijn Laarman  2009-09-21 09:53:17
+1  A: 

To your first question: XmlHttpRequest requests to a service will still pass along cookies, which can be used to propagate a session ID. You can even (assuming the enduser's browser supports it) mark cookies as 'HttpOnly' to reduce your XSS footprint. See Jeff Atwood's article for some detail on that.

TML  2009-09-21 18:49:07
Cookies kind of break the "STATELESS" part of REST.
Gandalf  2009-09-21 21:41:05
You can still store state on the client and be RESTful. The restriction is that application state shouldn't be stored on the server.
ctford  2009-09-22 17:02:37
In these discussions, it is important to distinguish __application state__ (session state) from __resource state__. In a RESTful architecture, resource state is stored server-side, whereas application state is stored client-side. [http://www.infoq.com/articles/mark-baker-hypermedia]
 2010-10-09 20:06:48
A: 

A RESTful interface does not store any information about a particular user's session. It is the client's job to maintain the information about what it is doing.

Authenticate the user on every request by providing information in the Authorization HTTP header. IF this becomes a performance problem, then look at alternative solutions to optimize perf.

Darrel Miller  2009-09-21 23:32:12

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases