I'm doing a prototype (learning a little bit more of everything) just for fun using lift and a Firefox extension to understand the usual infrastructure of a delicious api kinda thing.
Right now i have the communication from the FFext to a restApi in scala (and it was painless to do it =) ), but right now im sending the username and password in each request so the api can decide if the information should be stored and if so, linked to what user. Analyzing a little bit of code of other firefox extensions and some network behaviour i realize most of them are not sending that auth information in every request, but the server already have a way to associate a session with the FFext(im not sure). So the options i have so far are: ->keep sending the username and password(not a good idea) ->keep sending the username and password encripted(any ideas what algorithm to use here?) ->Generate a token after the login and after that handshake trust that token(any guideline on the use of this tokens? possible security issues?) ->Use a OAuth server/cliente industry standard bullet-proof handshack Also, i would like to know how important is to encrypt the bjax (browser ajax) post information? Im sending information i would like to know its secure. I just wanted to bring this ideas to the table to know a little bit more of the best practices and security involved in this kind of projects and if someone has a very simple solution to "trusting" a input received like this and/or how to link this to a user, help me brainstorm pls =) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to liftweb@googlegroups.com To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/liftweb?hl=en -~----------~----~----~----~------~----~------~--~---
