Hi, on my client, if I run GET request, I'll have to authenticate but after that all other GETs don't require authentication. Then, as soon as there is a POST, I will have to re-authenticate. I'd prefer the server just accepted the POST request as part of the session from the already authenticated user and didn't reask for credentials. See headers below: GET Request > Authenticate > POST Request > Fail
http://twitter.com/account/verify_credentials.json?callback=jsonp1239486621989&_=1239493435268 GET /account/verify_credentials.json? callback=jsonp1239486621989&_=1239493435268 HTTP/1.1 Host: twitter.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.9.0.8) Gecko/2009032609 Firefox/3.0.8 Accept: */* Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Authorization: Basic ZGVzbWlkaXNvOmd3dHdnd3R3 HTTP/1.x 200 OK Date: Sat, 11 Apr 2009 23:44:15 GMT Server: hi Last-Modified: Sat, 11 Apr 2009 23:44:15 GMT Status: 200 OK Etag: "a69811ab820044f3fcad85ed061bb512"-gzip Pragma: no-cache Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post- check=0 Content-Type: application/json; charset=utf-8 Expires: Tue, 31 Mar 1981 05:00:00 GMT X-Revision: 0d279c956b77447dc8b68179a828f0d93a6e93e3 X-Transaction: 1239493455-52742-21090 Set-Cookie: lang=; path=/ Set-Cookie: _twitter_sess=BAh7CToJdXNlcmkEKCLNAToTcGFzc3dvcmRfdG9rZW4iLWFkNmEzZGQzMzli %250AOGRiZTE5YmViNTFlYzAwODZhYjRhZjE3NGY1OTE6B2lkIiU4MjAwYTFmYTA5%250AM2I4ZWUxYTEzNmJlOTQ4NmZlNzgzOCIKZmxhc2hJQzonQWN0aW9uQ29udHJv %250AbGxlcjo6Rmxhc2g6OkZsYXNoSGFzaHsABjoKQHVzZWR7AA%253D%253D-- b68d85bbacedd2a15c46152c514ac78fc30c1873; domain=.twitter.com; path=/ Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 491 Connection: close ------------ https://twitter.com/statuses/update.xml POST /statuses/update.xml HTTP/1.1 Host: twitter.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.9.0.8) Gecko/2009032609 Firefox/3.0.8 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 53 source=Twitya&in_reply_to_status_id=&status=Hello+God HTTP/1.x 401 Unauthorized Date: Sat, 11 Apr 2009 23:47:38 GMT Server: hi Status: 401 Unauthorized WWW-Authenticate: Basic realm="Twitter API" Cache-Control: no-cache, max-age=1800 Content-Type: application/xml; charset=utf-8 Set-Cookie: _twitter_sess=BAh7BzoHaWQiJTc2OGQzNGEzNzlhNWYyNjliNTI1NDIzZTYxYmU4ZjkyIgpm %250AbGFzaElDOidBY3Rpb25Db250cm9sbGVyOjpGbGFzaDo6Rmxhc2hIYXNoewAG %250AOgpAdXNlZHsA--546494cea99c2f48565af4f437ae265f04ed6bc6; domain=.twitter.com; path=/ Expires: Sun, 12 Apr 2009 00:17:38 GMT Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 135 Connection: close
