You can use an "API key" instead a username-password, and send it with every request as a custom HTTP header. You can read an example from http://www.symfony-project.org/more-with-symfony/1_4/en/10-Symfony-Internals: "Using the request.filter_parameter event
Let's say you're operating a website exposing a public API to your users. The API is available through HTTP, and each user wanting to use it must provide a valid API key through a request header (for example X_API_KEY) to be validated by your application. This can be easily achieved using the request.filter_parameter event:..." I hope it helps Cristian Iturri On 30 mayo, 06:48, Gareth McCumskey <gmccums...@gmail.com> wrote: > Web services are considered stateless requests. There is no "client side > browser" to manage storing a cookie to allow for stateful sessions. A better > solution is to include the authentication with every request made and then > verify the credentials on the server side with each request. With a REST > service for example, you can include these as custom HTTP headers with nonce > salts to encrypt the password itself as it is sent over the wire for > security reasons. A very similar mechanism can be used for SOAP where an > authentication header tag is sent with each request. > > This is really the only way to successfully have authentication-based web > services. > > On Sat, May 28, 2011 at 4:04 PM, Filipe Dias > <filipediasferre...@gmail.com>wrote: > > > > > Hi all, > > > I'm developping an application as an API: making requests returns > > simple xml or json files, but I need to save some properties in > > session. > > All available documentation is form login oriented. I got > > authentication getting a connection to a database, using doctrine > > ORM. > > If is a valid login, result will be a xml/json with success as > > content. > > > Login is accessed likehttp://server/login/<username>/<password>/<format> > > logout likehttp://server/logout/<format> > > and acount likehttp://server/account/<resource>/<format>. > > > So i got a problem: I can't handle with session storage of symfony, > > because in each request I got a new session id; > > > Does anyone know: > > 1. how I can get a ROLE_USER (or similar) after received a success > > login > > 2. how I can get all information from session when I access to the > > account with a valid login > > 3. how I can invalidate session in logout resource. > > 4. Which Is the best configuration in security for this situation!? > > > Cheers, > > Filipe Dias > > > -- > > If you want to report a vulnerability issue on symfony, please send it to > > security at symfony-project.com > > > You received this message because you are subscribed to the Google > > Groups "symfony users" group. > > To post to this group, send email to symfony-users@googlegroups.com > > To unsubscribe from this group, send email to > > symfony-users+unsubscr...@googlegroups.com > > For more options, visit this group at > >http://groups.google.com/group/symfony-users?hl=en > > -- > Gareth McCumskeyhttp://garethmccumskey.blogspot.com > twitter: @garethmcc > identi.ca: @garethmcc -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony users" group. To post to this group, send email to symfony-users@googlegroups.com To unsubscribe from this group, send email to symfony-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/symfony-users?hl=en