[foaf-protocols] naive (?) question about rest-full authentication
Story Henry
henry.story at bblfish.net
Tue Nov 24 17:26:50 CET 2009
On 24 Nov 2009, at 15:28, Bruno Harbulot wrote:
> Hi Pierre-Antoine,
As Melvin pointed out, the foafssl.org server is used by foaf.me only to show that a foaf+ssl Identity provider can work. Of course it is better not to use one as it saves an extra tcp connections to the foaf file.
> Pierre-Antoine Champin wrote:
>> Hi all,
>>
>> This will be PHP, so I'm considering using the foaf.me codebase as a
>> starting point.
>> [...]
>> However, it seems to me that this works nicely only because foaf.me does
>> everything on a single page, with a single URI. If it had links to other
>> pages and wanted the user to be still authenticated on the other page,
>> it would have to make each link of the form
>> https://foafssl.org/srv/idp?authreqissuer=THE_OTHER_URI
>>
>> which would be quite ugly, wouldn't it?
THE_OTHER_URI would be the same on each page btw. It is just a script which in the case
of foafssl.org sets a cookie.
If you want to be real secure you can put all of your pages behind https. Then you won't need a cookie, https deals with session maintenance itself.
> I'd suggest using a cookie for this. I know this could be considered as
> creating a session and, thus break the statelessness constraint of REST,
> but I think it's fine if you don't use that cookie for anything else
> than authentication: the rest of your application can still use
> stateless exchanges. Most secure authentication systems have some form
> of session in a way or another.
>
>
> Best wishes,
>
> Bruno.
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
More information about the foaf-protocols
mailing list