:) Gives me plenty to go back to my managers with. What I suggested above was a quick fix and I now feel dirty for posting it now.. The existing API looks like it has always just used session based authentication.
The project I'm on has been under full time development since march 2006 and I'm not kidding when I say it's a behemoth.. it needs major refactoring and has had stuff patched on top of it all over the place, but the company already has quite a few customers that have already built their own solutions on top of the existing API so API changes have to be kept to an absolute minimum if any at all. >From what you've all said above, to do it properly looks like we'd need to bite the bullet and move all api calls into a separately namespaced area (not totally necessary, but desirable) and use token authentication on every API request rather than session based, and leave the CSRF protection on for everything else within the normal website that uses the regular session based authentication. This makes sense, was trying to find a solution that wouldn't impact the existing customers too much but I don't think that's going to be possible if they want this done properly. Will go and find out. Thanks again for your help guys, much appreciate the input! Lucas -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
