Heh, good point Adam. I'm definitely going to start telling my clients they just need to get over this whole silly "logging in" thing...
;-) On 10/3/07, Adam Taft <[EMAIL PROTECTED]> wrote: > > > > JC wrote: > > I am trying to develop a Restful login system. > > I have never found a form or url based authentication system that felt > anywhere near as good (or even as RESTful) as using Basic Authentication > over SSL. > > First of all, I believe people need to get over this concept of "logging > in." For a RESTful request, there really is no such thing; logging in > implies server state and sessions, which of course is not RESTful. > > When you request a protected resource, the server should simply expect > proper authentication headers to be included in the request. If they're > not there (or possibly invalid), it returns a 401 status. It's up to > the user agent to provide those credentials and build the appropriate > header entry. The HTTP header is the appropriate place to do so because > otherwise you have to pass it on the URL, which of course is yucky. > > Anyway, I think the first step is getting over the "logging in" thing. > It's really contrary to REST. > > Hope this helps, > > Adam >
