I don't rely on SSL - to avoid any potential hassles with Apple's app
store - "Does your application use encryption?".
The scheme I did use will work happily with SSL, if the data is
sensitive, and without, for routine app data, game data, etc.
As an example, my requests to the server contain;
1/ a uuid
2/ current time
3/ md5 hash of user credentials + uuid + time
4/ any other data
The client first synchronizes it's time with the server. Each request
is only valid for 30 seconds (the server checks the time built into the
request). The server also temporarily stores the uuid, so it can only
be used once (auto deleted after 60 seconds - by which time the request
is no longer valid). The important user credentials are never sent as
plain text and each request is only valid once - anyone snooping can't
send the same request as the uuid will be rejected. The reason for
sending the uuid and time (which are also built into the md5 hash) is so
that the server can rebuild the same hash from the user credentials in
the database and verify a 'login'.
HTH
John.
On 06/04/2013 23:05, Geoff Canyon wrote:
With on-rev, how do you handle authentication/a secure connection?
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode