Hi Stephan, On Dec 22, 2008, at 12:02 PM, Stephan Koops wrote:
> Hi Rhett, > >>> There is a way, but HTML and HTTP is not enough: You need JavaScript >>> to send a XMLHttpRequest. But you can't use http state 401 for >>> return, because the browser should prompt (search for "401" on >>> http://www.w3.org/TR/XMLHttpRequest/) >>> for the users credentials, and that is, what we don't want. So we >>> hae to use another HTTP state for it (I've implemented it with the >>> undefined state 491 some month ago). >>> But this way requires enabled JavaScript in the users browser and >>> support for the XMLHttpRequest object. >> >> If I understand you correctly, you are suggesting using an >> XMLHttpRequest in order to send a request with an Authorization >> header >> to perform the login. That gets around the problem of using Guard to >> do the initial authentication, but how do you prevent the user from >> being prompted on every request? It seems like you'd still need some >> sort of client-side state and a way to interpret it on the server. > If you give the credentials to the browser, the browser saves them > in memory and send it for every request to the same realm on the > server, until the browser is closed. So you don't need to re-enter > them. > This is client state, as you said, but client state is allowed in > REST. Only application state in the server is forbidden. > >> Or do I misunderstand what you are suggesting? Do have a writeup of >> the XMLHttpRequest-based protocol you are using? > I only set the credentials with the methods for it into the > XMLHttpRequest. Oh, so when you pass credentials using XmlHttpRequest, the browser automatically caches them? That's cool. I didn't know that worked. I guess this has the same downside as normal browser-based authentication, then -- it's impossible to log out without quitting the browser. Thanks, Rhett ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=990013
