Client agnostic solutions for RESTful resource security/authentication etc.? | ansaurus

tags:

views:

37

answers:

3

Q:

Client agnostic solutions for RESTful resource security/authentication etc.?

Hi!

I'm about to replace my oldfashioned sessionbased server solutions with RESTful ones. Where can I find information about design principles concerning security, authentication etc. when moving into this stateless domain?

I need to find solutions that work with different client platforms (Flex/Air, Browser, desktop and mobile apps etc.). Right now I work with php in the server end.

+1 A:

Peter Bailey 2010-06-02 14:11:27

Thank you Peter, I'll check it out!

Cambiata 2010-06-02 14:39:05

+1 A:

The easiest is basic http authentication; http://en.wikipedia.org/wiki/Basic_access_authentication

k_b 2010-06-02 14:12:59

Or, if you want better security, digest

troelskn 2010-06-02 14:14:54

@k_b: Easy, yes, but secure? Doesn't that mean transferring username and password with every request?@troelskn: Hmm... So digest is a more secure form of http authentication..? Thanks! I'll check it out!

Cambiata 2010-06-02 14:30:13

With https you should be ok, but of course, it's not the most secure alternative. Digest is better.

k_b 2010-06-02 14:59:36

A:

Learn from examples like Google accounts authorization, Yahoo REST APIs etc.

Some points to notice:

Cookies are usually used as out-of-band authentication tokens.
Beware of AJAX calls failing authentication - if they get a 302 redirect to a form, it will be followed automatically and you'll get a 200 response with the form body as a response

ob1 2010-06-02 14:14:36

Hmm... "out-of-band" - what does that mean?

Cambiata 2010-06-02 14:40:59

"out-of-band" as opposed to inside the payload, in the sense that the authentication token is not applicative and part of a POST body for example, but rather resides in the HTTP headers and does not affect your specific applicative payload

ob1 2010-06-02 20:11:31

Ah! Thank you, ob1!

Cambiata 2010-06-03 11:01:07

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )

MySQL/Apache Error in PHP MySQL query

Lightweight IDE for Linux

What PHP framework would you choose for a new application and why?

Why is my ternary expression not working?

How can I get at the matches when using preg_replace in PHP?

Mechanisms for tracking DB schema changes

Wordpress theme development offline tools

Using object property as default for method property

How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?

Make XAMPP/Apache serve file outside of htdocs

How do you debug PHP scripts?

PHP Variables passed by value or by reference?

Best way to implement unit testing in PHP

Connect PHP to an AS/400

Best way to access Exchange using PHP?

PHP Session Security

How do I access a remote form in php?

What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)

Apache/PHP: error_log per Virtual Host?

How do I track file downloads with apache/PHP

How would you access Object properties from within an object method?

Flat File Databases in PHP

Best way to allow plugins for a PHP application

Latest information on PHP upcoming releases