Authenticating and tracking users in a JSON webservice
I have contact management / CRM application used in-house by our company, It is a web based app and thus uses a lot of Ajax. Most of the data is JSON, and the backend server uses PHP with MySQL as the database...
I would like to build a mini Adobe Air version of that, mostly because I can use Drag and Drop file uploads, client side image resizing, client side screenshot creation of uploaded files etc. etc.
Now, because the server side is a glorified JSON data provider, I figure I can adapt it to provide data to the AIR app.
My problem is, how do I handle authentication?
In PHP I use sessions for authentication... For AIR i figure it will be more like a JSON webservice, where you call a certain URL to access certain JSON data.After a bit of brainstorming, here is what I came up with:
- The user logs in when the AIR app starts
- The server returns an unique token on successful login, and stores that token in the DB
- The AIR app has to append that token to every request it makes to the server
- On every request, the server checks the validity of the token by comparing it to the one stored in the DB.
The questions are,
is there a better way than this? How long should the token be valid for? How do i handle clients that close the application without logging out, and without giving me a chance to nullify the token on the server?If anyone has been in a similar situation, I hope to be enlightened开发者_开发技巧 by your answers...
thanks
How about this:
- simply returning the PHP Session ID in your JSON data to the AIR App upon authentication
- Your AIR app stores the Session ID and uses it for requests in that session
- when your PHP receives request with Session ID, set it to that session ID:
- Your session will be maintained easily by PHP and you will be able to use $_SESSION as per normal.
When you receive a request with Session ID, simply do this:
if(isset($_GET['sess_id'])){
session_id($_GET['sess_id']);
// where $_GET['sess_id'] is where you put the Session ID stored in your AIR APP
}
This might be better because you drop the need of maintaining Sessions in database.
精彩评论