views:

37

answers:

3

Hi!

I'm about to replace my oldfashioned sessionbased server solutions with RESTful ones. Where can I find information about design principles concerning security, authentication etc. when moving into this stateless domain?

I need to find solutions that work with different client platforms (Flex/Air, Browser, desktop and mobile apps etc.). Right now I work with php in the server end.

+1  A: 

OAuth 2.0?

Peter Bailey
Thank you Peter, I'll check it out!
Cambiata
+1  A: 

The easiest is basic http authentication; http://en.wikipedia.org/wiki/Basic_access_authentication

k_b
Or, if you want better security, digest
troelskn
@k_b: Easy, yes, but secure? Doesn't that mean transferring username and password with every request?@troelskn: Hmm... So digest is a more secure form of http authentication..? Thanks! I'll check it out!
Cambiata
With https you should be ok, but of course, it's not the most secure alternative. Digest is better.
k_b
A: 

Learn from examples like Google accounts authorization, Yahoo REST APIs etc.

Some points to notice:

  • Cookies are usually used as out-of-band authentication tokens.
  • Beware of AJAX calls failing authentication - if they get a 302 redirect to a form, it will be followed automatically and you'll get a 200 response with the form body as a response
ob1
Hmm... "out-of-band" - what does that mean?
Cambiata
"out-of-band" as opposed to inside the payload, in the sense that the authentication token is not applicative and part of a POST body for example, but rather resides in the HTTP headers and does not affect your specific applicative payload
ob1
Ah! Thank you, ob1!
Cambiata