Thanks again. I thought rest was stateless, so even if I sent an ajax call via http to a remote CFC, the user's session state wouldn't be included.
For instance, when a user logs in, I create a variable 'session.myID' which is the user's userID. Would ajax calls be able to use that session info? On Mon, Jul 23, 2012 at 2:16 PM, Matthew Woodward <[email protected]> wrote: > On Mon, Jul 23, 2012 at 10:42 AM, Jason King <[email protected]> wrote: >> >> I'm assuming I basically need to create some kind of API key that >> would be passed along with the rest of the arguments, and the CFC >> would only run if the API key matches the userID? > > > Right -- if you search on how to secure REST resources (language doesn't > matter here) you'll find reams of stuff. If a login is required they can > pass a known, semi-permanent token or other creds as part of the request, or > if it's a one-time operation and you only WANT people to be able to use a > token once or for a limited time, the process is similar but you'd look into > using a nonce and negotiating things slightly differently. > > And don't forget since this is just HTTP you can secure this in the web > server using anything available at that level as well. > -- > Matthew Woodward > [email protected] > http://blog.mattwoodward.com > identi.ca / Twitter: @mpwoodward > > Please do not send me proprietary file formats such as Word, PowerPoint, > etc. as attachments. > http://www.gnu.org/philosophy/no-word-attachments.html > > -- > online documentation: http://openbd.org/manual/ > http://groups.google.com/group/openbd?hl=en -- online documentation: http://openbd.org/manual/ http://groups.google.com/group/openbd?hl=en
