webservice authorization best practices

I'm creating a webpage which is linked to a web service i am creating.

now the webpage is easy. i can create a session to store login information which gets passed to the webservice with my jquery url calls to the webservice.

but how would this be done if its a different website on a different domain accessing my webservice (client side access via javascript ajax) ? would it call my webservice/login?userid=&password= which returns a sessionID then that website has to remember the sessionID and include it on every call? example: order/outbound/create?address=&item=&companyName=&sessionID=435hg34kh

?

I appreciate any help i could receive on this topic.

not that this really has an开发者_StackOverflowything to do with the above question (I think) i'm programming the webservice in php.

Authentication with webservices depends either on the HTTP/Soap protocols, either in the service contract (generally using a token).

The solution based on a first call retrieving an ID and then exchanging session id is the good one for client side invocation (that have no access to HTTP/Soap protocols, only services parameters, in such case you're generally using light Webservices based on Rest).

Business side invocation may also rely on Basic Authentication or WS-Security. Ebay is using your approach for its webservices, that are generally invoked from business applications (and not directly client browser).

One consequence is that effectively the server and the client need to maintains the session token. You eventually need an invalidation service that logout the user (preventing from the login token from beeing reused).

Basic approach for cross domain Javascript HTTP invocation is documented here