How to handle authentication in PHP REST web service?
Question
I've read that a good way to write web services to be consumed from mobile apps is to avoid SOAP (too verbose) and to use REST. In many REST examples, I have seen it is better to avoid sessions due to the stateless nature of REST. But how can I assure security when invoking my web service? I would like to make a "login" call than pass a session_id/token to the next web service call. How can I do it?
2 answers
solution1
4 2011-03-07 14:24:45
The cleanest way would be using HTTP authentication. While that wouldn't go by the login+sessionid way you mentioned it would be much cleaner and more straightforward (API calls do not related on other API calls and clients do not need to expect session timeouts etc.)
solution2
3 2011-03-07 14:18:23
You can pass user token (and session, or any other auth data if you need it) in a json request like:
{"auth": {"session_id": "abc", "token":"123"},
"data": "your request data"
}
If you are crazy about security you can generate a new token after each user login and even have life time for tokens.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.