I know you're teasing, so I won't be long... but just to be clear, when
I say "people should get over this concept of logging in", I mean us
developers, not the end users.
The user agent, of course, still prompts the user for credentials when
it's appropriate to do so. The login process, as the end user perceives
it, still happens. It's just all about thinking in "stateless" RESTful
terms, which is it seems hard for some (many? most??) web developers.
Adam
Jeff Walter wrote:
Heh, good point Adam. I'm definitely going to start telling my clients they
just need to get over this whole silly "logging in" thing...
;-)
On 10/3/07, Adam Taft <[EMAIL PROTECTED]> wrote:
JC wrote:
I am trying to develop a Restful login system.
I have never found a form or url based authentication system that felt
anywhere near as good (or even as RESTful) as using Basic Authentication
over SSL.
First of all, I believe people need to get over this concept of "logging
in." For a RESTful request, there really is no such thing; logging in
implies server state and sessions, which of course is not RESTful.
When you request a protected resource, the server should simply expect
proper authentication headers to be included in the request. If they're
not there (or possibly invalid), it returns a 401 status. It's up to
the user agent to provide those credentials and build the appropriate
header entry. The HTTP header is the appropriate place to do so because
otherwise you have to pass it on the URL, which of course is yucky.
Anyway, I think the first step is getting over the "logging in" thing.
It's really contrary to REST.
Hope this helps,
Adam
