English 中文(简体)
Authenticating and tracking users in a JSON webservice
原标题:

I have contact management / CRM application used in-house by our company, It is a web based app and thus uses a lot of Ajax. Most of the data is JSON, and the backend server uses PHP with MySQL as the database...

I would like to build a mini Adobe Air version of that, mostly because I can use Drag and Drop file uploads, client side image resizing, client side screenshot creation of uploaded files etc. etc.

Now, because the server side is a glorified JSON data provider, I figure I can adapt it to provide data to the AIR app.

My problem is, how do I handle authentication?
In PHP I use sessions for authentication...
For AIR i figure it will be more like a JSON webservice, where you call a certain URL to access certain JSON data.

After a bit of brainstorming, here is what I came up with:

  1. The user logs in when the AIR app starts
  2. The server returns an unique token on successful login, and stores that token in the DB
  3. The AIR app has to append that token to every request it makes to the server
  4. On every request, the server checks the validity of the token by comparing it to the one stored in the DB.

The questions are,
is there a better way than this?
How long should the token be valid for?
How do i handle clients that close the application without logging out, and without giving me a chance to nullify the token on the server?

If anyone has been in a similar situation, I hope to be enlightened by your answers...

thanks

最佳回答

How about this:

  1. simply returning the PHP Session ID in your JSON data to the AIR App upon authentication
  2. Your AIR app stores the Session ID and uses it for requests in that session
  3. when your PHP receives request with Session ID, set it to that session ID:
  4. Your session will be maintained easily by PHP and you will be able to use $_SESSION as per normal.

When you receive a request with Session ID, simply do this:

if(isset($_GET[ sess_id ])){
  session_id($_GET[ sess_id ]);
  // where $_GET[ sess_id ] is where you put the Session ID stored in your AIR APP
}

This might be better because you drop the need of maintaining Sessions in database.

问题回答

暂无回答




相关问题
ajax login using httpRequest?

I am trying to develop my login script to give feedback to the user if the login is valid or not. Basically if it isn t correct a div box will show saying its wrong, if its correct it will show its ...

Remotely authenticating client Windows user on demand

Suppose I am writing a server for a particular network protocol. If I know that the client is running on a Windows machine, is it possible for my server to authenticate the Windows user that owns the ...

Role/Permission based forms authorizing/authentication?

While looking into forms authorizing/authentication, I found that it is possible to do role based authorizing by adding an array of roles to a FormsAuthenticationTicket. That way I can write User....

热门标签