I’m finding this surprisingly difficult to sort out. I’ve a website that is mostly for access by a REST API. It uses Authlogic.
I naively assumed that if the API client had the user authenticate and then returned the cookie on subsequent actions that they would be logged in, but they aren’t. Further experimentation shows that if I send a form by putting a static file in the public directory, the user isn’t being authenticated when that is submitted either. What am I missing here? I’m seeing scattered references to single_access_token, all of which seem to assume that you already know what that is and how to use it from your client app, so I can’t find a single clear statement of what’s going on. I’m tempted to generate a UUID and dispense it to the client on login, then have them feed that back to me as one of the url args. But this seems blunt and stupid when presumably the login information is there in the user’s cookie. I’ve spent hours googling this without finding a clear statement of what is best practice for secure access to an authlogic site. -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
