[foaf-protocols] naive (?) question about rest-full authentication

Akbar Hossain akkiehossain at googlemail.com
Wed Dec 16 23:02:36 CET 2009 

Hi Pierre-Antoine,

I have now made a number of changes to libAuthentication.php to better
support the delegated FOAF+SSL login server.

The library now incorporates the suggested session cookie pattern to store
the result of the delegated FOAF+SSL server.

So the pattern of usage would be along the lines of ask the user to login
via a link such as the following.
https://foafssl.org/srv/idp?authreqissuer=http://foaf.me/index.php

The page to which the delegated login server will return the user to needs
to make a call to getAuth(). In this example that is
http://foaf.me/index.php

The result of the delegated server login process is stored in a session
cookie by the first call to getAuth(). The session cookie can then be
referenced on other pages.

So on each page where you wish to check if  the user is logged in make a
call to getAuth() function and check the result.

You should not need to ask the user to log in on each page with the link to
the delegated login server.

There are more details on github at
http://github.com/melvincarvalho/libAuthentication

Feel free to contact me here or on the foaf.me maillist with any further
questions / feedback/ suggested improvements.

Thanks and good luck!


On Tue, Nov 24, 2009 at 3:28 PM, Bruno Harbulot <
Bruno.Harbulot at manchester.ac.uk> wrote:

> Hi Pierre-Antoine,
>
> Pierre-Antoine Champin wrote:
> > Hi all,
> >
> > This will be PHP, so I'm considering using the foaf.me codebase as a
> > starting point.
> > [...]
> > However, it seems to me that this works nicely only because foaf.me does
> > everything on a single page, with a single URI. If it had links to other
> > pages and wanted the user to be still authenticated on the other page,
> > it would have to make each link of the form
> >   https://foafssl.org/srv/idp?authreqissuer=THE_OTHER_URI
> >
> > which would be quite ugly, wouldn't it?
>
> I'd suggest using a cookie for this. I know this could be considered as
> creating a session and, thus break the statelessness constraint of REST,
> but I think it's fine if you don't use that cookie for anything else
> than authentication: the rest of your application can still use
> stateless exchanges. Most secure authentication systems have some form
> of session in a way or another.
>
>
> Best wishes,
>
> Bruno.
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20091216/0866fce8/attachment.htm

More information about the foaf-protocols mailing list