I am working an Rails 2.3.14.I am providing web services for
an iphone app thru xml.
My Rails app uses an authlogic gem for authentication.How to
authenticate a API call from an iphone app.
Initially i can able to sign up and login thru XML post
request.After login how my rails app identify me as a logged
user.Whether i need to provide any token after login and using token
for further request for an API call.I am novice in this.please suggest
me the best way to implement authentication for an iphone app.
Thanks in advance....
One typical way is to use a combination of
- https (to authenticate the server and encrypt the channel)
- use “Basic Authentication” through this channel
Check e.g. curl -u/–user user:password as a way to test this.
The user:password combination is sent with each request (but
this is encrypted by using https).
In Rails the set-up of Basic Authentication is very simple (that
is a “good thing” less chance to make security errors)
Of course, you need an SSL certificate for your server to do this.
Since you say you are novice, make sure you let your solution
validate by a person with deep security experience before putting
it in real production.
*** Available for a new project ***
Have you tried just making the requests subsequent times? I haven't
used authlogic specifically, but this works for me on my iPhone app,
which uses old restful_authentication.
Usually when you do the initial login the auth system stores the user
ID in the session, and then on subsequent requests it will "log in" by
virtue of the session having the user ID. This session is (again
usually) persisted by a cookie being passed back and forth (the name
of it is set in in config/initializers/session_store.rb for my rails
2.3.x app, its the :key key of the hash sent to
ActionController::Base.session). So as long as your iPhone app
continues passing along this cookie with each subsequent request
(which from my experience it does automatically), then your app will
have the same session, which in turn has the user ID, which in turn
logs in and authenticates that person.
The caveat(s) here are to make sure that authlogic is doing the login
persistence in the session (it almost has to be if you have a web
facing app that is of any use to someone logged in), and to make sure
that the iPhone is sending the session cookie with each request.