Question about rails webservice and authentication

Question

What I am doing is rails web service API that let user create traveling log when they access any sites, by using firefox plugin.For this requirement I needed 2 things.

1. skip_before_filter :verify_authenticity_token in specific controller (Because I let user create it through API not the form, so I disable this).
2. user have to provided username and password every request (e.g. curl -u username:pass -d "..." http://localhost:3000/logs).

What I want to ask are

• can I made it easier by letting my firefox plugin ask for user login then use cookies, so no need to send username password every time with request.
• Does skip_before_filter :verify_authenticity_token is bad thing or necessary thing to do for this ?

Thanks

Answer 1

When Rails renders a form, it includes a hidden field with a long string (authenticity token). The verify_authenticity_token filter ensures that the user submitted a form that the server actually rendered (as opposed to forging a POST request, as hackers will do). If you use cookies and sessions you should really read about how this works and try to customize it to work with your plugin.

However, why not use HTTP basic authentication instead? It's slightly faster than sending a cookie on every page view and should be much simpler to set up. As you say, you can have your plugin prompt for a username/password, and then send them with every request.

If you need to store user data in sessions, though, you'll have to use cookies.