On 19. Mar, 2010, at 18:28 , Kieran Kelleher wrote: > Now what about the case where API keys are inconvenient for the end client > user. For example, I have a Gianduia Cappuccino app where the user goes to a > site, logs in and works away in his Cappuccino app with occasional REST > requests to GET and manipulate serverside data. I guess we could store his > userid and SHA-hashed password locally in the Cappuccino app and send the > user id and SHA hashed password in two of the headers with every HTTPS REST > request ..... is that common practice for this scenario?
For this I'd rather use an auth token that is encrypted and can be cracked on the server to relate it to an account. You could make that valid for a given time (store it in memcached, file system, db, ... with expiry date) and relate that on the server side to the actual account after the user logged in at least once. As it is a web application, you probably don't want to sent long lived tokens around that could end up in browser caches and the like ... cug _______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
