I would suggest a server generated temp key which then gets pumped to the client and is part of each request. Then the only thing you need to do is make sure that the initial request is from an authentic source. This part may be harder if relying on cookies but if only temp keys are used then might not be such an issue.
On 20/08/2008, Taco Fleur <[EMAIL PROTECTED]> wrote: > > hmm, yes, I was thinking about authentication at app level, but I think I'm > going to have to rethink this and do need to look at user authentication > level which would have to happen anyway. > > cheers > > > On 8/20/08, Terry Sasaki <[EMAIL PROTECTED]> wrote: >> >> >> Is it possible somehow to issue a cookie beforehand (perhaps users >> need to manually login first), and attach it to SOAP request header??? >> >> I'm doing the similar thing, but it's not JS. >> >> 2008/8/20 Taco Fleur <[EMAIL PROTECTED]>: >> > Users would make a http request to our domain, they get the inital HTML >> and >> > JS on their machine, from there on out the requests will be made between >> the >> > client's browser and our web services which are on another domain. Once >> the >> > JS app is on the client-side we cannot check whether sub sequent >> requests >> > are coming from our domain. >> > >> > On 8/20/08, Dale Fraser <[EMAIL PROTECTED]> wrote: >> >> >> >> Users running your app would be coming from your domain, a copy would >> be >> >> coming from a different domain. >> >> >> >> >> >> >> >> So you need to ensure that you only allow requests to your webservices >> >> from your domain. >> >> >> >> >> >> >> >> Regards >> >> >> >> Dale Fraser >> >> >> >> http://learncf.com >> >> >> >> http://flexcf.com >> >> >> >> >> >> >> >> >> >> >> >> From: cfaussie@googlegroups.com [mailto:[EMAIL PROTECTED] On >> >> Behalf Of Taco Fleur >> >> Sent: Wednesday, 20 August 2008 8:52 AM >> >> To: cfaussie@googlegroups.com >> >> Subject: [cfaussie] [OT] Authentication with JavaScript/AJAX >> >> >> >> >> >> >> >> I was wondering if anyone has run into this before; we're creating a >> >> client side app in JS (think of gmail), the problem being that I can't >> >> immediately think of a way to authenticate the client without embedding >> the >> >> authentication details in the JS. >> >> >> >> >> >> >> >> In other words, when our JS app is loaded on the client side we want to >> >> make sure it is our app thats talking to us, and not someone who has >> copied >> >> the code and is running all types of requests against our server. The >> client >> >> we are planning to create will consume web services provided by us. I >> hope >> >> this makes any sense. >> >> >> >> Cheers >> >> -- >> >> Try advertising on the new Australian Business Directory >> >> www.clickfind.com.au >> >> blog: http://australiansearchengine.wordpress.com/ >> >> Web Designers > http://www.web-designers-australia.com >> >> >> >> >> > >> > >> > >> > -- >> > Try advertising on the new Australian Business Directory >> > www.clickfind.com.au >> > blog: http://australiansearchengine.wordpress.com/ >> > Web Designers > http://www.web-designers-australia.com >> > > >> > >> >> blog: http://australiansearchengine.wordpress.com/ >> Web Designers > http://www.web-designers-australia.com >> >> >> -- Cheers Simon Haddon Woman loves feeling danger and speed. That is why woman wants man. They get a speed rush that is the most dangerous of all. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "cfaussie" group. To post to this group, send email to cfaussie@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cfaussie?hl=en -~----------~----~----~----~------~----~------~--~---
