[LRUG] RESTful Authentication [was Next Month - Call for participation]

Eleanor eleanor at goth-chic.org
Sun Feb 18 14:53:32 PST 2007


On 16 Feb 2007, at 13:02, soledad penadés | sole wrote:
> I have been following with high interest the REST-y approach to  
> controllers and all that. Buuuut I'm still stuck on something and  
> it is Authentication. They are saying we should use http auth since  
> it is what REST is about - to use the HTTP protocol as it is  
> specified. But it looks a bit limited, once you log in like that,  
> you have to close the browser for the auth to be "canceled". No  
> space for a "logout" button which deletes cookies since there's no  
> cookie to be deleted. You know what I mean!
>
> What do you think should be the best approach? has anybody been in  
> this situation before?
>
> Ultimately, what I'm asking/wondering about is "what's the best way  
> for doing this".
>
> If it doesn't make up for a complete talk then do not hesitate and  
> post your comment, maybe in a different thread to not to spoil this  
> topic, please please please! :-)

I think there's more than a few talks to be had on HTTP  
authentication as it's a messy subject - in fact it's messy enough  
that my first LRUG I spent a good half hour fuming about the subject lol

The new Rails REST obsession may make things easier - at least for  
JavaScript-based browser sessions - as those allow you to add and  
delete HTTP headers but not having tried in anger I wouldn't like to  
bet on it. In theory you should also be able to do this from the  
server end, but unfortunately browsers have this bad habit of caching  
authentication headers and resending them when they shouldn't.

Another option is to only run authenticated sessions over SSL and  
then to drop back down to standard HTTP on logout, which given that  
an HTTP authentication header isn't that secure is probably a good  
idea anyway.

If I have the time to experiment I may be up for a quick presentation  
on the subject at some point, or else corner me in a pub with beer  
sometime and I'll give you the 'colourful' version lol

Ellie


Eleanor McHugh
Games With Brains
----
raise ArgumentError unless @reality.responds_to? :reason




More information about the Chat mailing list