On Wed, Sep 14, 2011 at 6:40 PM, Stephan Beal <sgb...@googlemail.com> wrote: > Hi, all! > Just implemented... > Request: > GET: /json/login?n=name&p=pass > Param names "n" and "p" are for compatibility with the current usage, and > may optionally be written out as "name" and "password". > or POST: /json/login > POST request body: { "payload":{"name":"...", "password":"..."} } > (POSTed login data doesn't land in the apache logs, so it's highly > preferred!)
For the password on GET, you could mimic what HTTP-Auth-Digest does. Instead of sending the password in plain text, you hash the password with a nonce received from the server. Of course, to get the nonce, you have to attempt to login without supplying credentials. The server would then respond with a payload containing the nonce to use in the hash. One way to generate the nonce would be to concatenate the date, time, IP address and a random number, then hash the result. _______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users