开发者

Authenticating and tracking users in a JSON webservice

I have contact management / CRM application used in-house by our company, It is a web based app and thus uses a lot of Ajax. Most of the data is JSON, and the backend server uses PHP with MySQL as the database...

I would like to build a mini Adobe Air version of that, mostly because I can use Drag and Drop file uploads, client side image resizing, client side screenshot creation of uploaded files etc. etc.

Now, because the server side is a glorified JSON data provider, I figure I can adapt it to provide data to the AIR app.

My problem is, how do I handle authentication?

In PHP I use sessions for authentication...

For AIR i figure it will be more like a JSON webservice, where you call a certain URL to access certain JSON data.

After a bit of brainstorming, here is what I came up with:

  1. The user logs in when the AIR app starts
  2. The server returns an unique token on successful login, and stores that token in the DB
  3. The AIR app has to append that token to every request it makes to the server
  4. On every request, the server checks the validity of the token by comparing it to the one stored in the DB.

The questions are,

is there a better way than this?

How long should the token be valid for?

How do i handle clients that close the application without logging out, and without giving me a chance to nullify the token on the server?

If anyone has been in a similar situation, I hope to be enlightened开发者_开发技巧 by your answers...

thanks


How about this:

  1. simply returning the PHP Session ID in your JSON data to the AIR App upon authentication
  2. Your AIR app stores the Session ID and uses it for requests in that session
  3. when your PHP receives request with Session ID, set it to that session ID:
  4. Your session will be maintained easily by PHP and you will be able to use $_SESSION as per normal.

When you receive a request with Session ID, simply do this:

if(isset($_GET['sess_id'])){
  session_id($_GET['sess_id']);
  // where $_GET['sess_id'] is where you put the Session ID stored in your AIR APP
}

This might be better because you drop the need of maintaining Sessions in database.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜