> Should authentication information be sent with every call? > Can I authenticate to a web service and "remember" it.
In general, you can secure web services in the same way that you secure any other HTTP requests: by requiring some sort of authentication token, and ensuring that this token is returned with every subsequent web service request. =================== I think that makes decent sense, but it's a bit abstract. Before I go off trying to imagine how that would work, let me clarify. When you say authentication token, are you thinking user name and password, or some kind of long randomly generated alpha-numeric string which is unique and created at login? I assume you mean the second. My next question is this: what would keep someone from sniffing packets on the network, grabbing the auth token and using it to emulate someone else? I assume the answer to that would probably be SSL. Also, now that my server has distributed a pile of authentication tokens around, how does it keep track of them? Application, session? When an HTTP request comes in and says "here is my auth token" how does the app server know 1) It actually handed out that token 2) It recently handed that token out and not 3 months ago 3) It handed that token out to that specific client. Maybe I am going at this wrong. Perhaps you meant that ALL clients would use the SAME token ALL the time they made a request. I'll let you talk now to tell you if I am interpreting correctly or not. :) ~Brad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Upgrade to Adobe ColdFusion MX7 The most significant release in over 10 years. Upgrade & see new features. http://www.adobe.com/products/coldfusion?sdid=RVJR Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:276329 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
