Home » Download » Modules » Services » Issues

Session keys vs Infinite Session keys - How does Services handle it?

raspberryman - March 4, 2008 - 04:39
Project:Services
Version:6.x-1.x-dev
Component:Miscellaneous
Category:support request
Priority:normal
Assigned:sumitk
Status:closed
Description

I could use your support in learning a detail about sessions.

For the Services module, What is the difference between:

1) Session token - temporary token used to track a user during a browser session

2) Authentication token - permanent, one-time token saved when an app has successfully validated a user

My Facebook developer said it was uncommon to use sessid for the purpose of an authentication token, because the Facebook app is merely 'add/remove' by Facebook users, without re-authenticating whenever a session expires.

He also said that, where sessid is used, it is uncommmon for cookies to be required to deliver it.

What is the benefit of using session tokens instead of a one-time "authentication approved" token?

Thanks for your insights!

» Login or register to post comments

#1

raspberryman - March 5, 2008 - 00:20
Title:Session tokens vs Authentication token - How does Services handle it?» Session keys vs Infinite Session keys - How does Services handle it?

To be more clear on the language, I am talking about:

1) Drupal Session Keys

vs.

2) Infinite Session Keys (as discussed at: http://developers.facebook.com/documentation.php?doc=auth#infinite_sessions)

So I suppose this is a feature request for Infinite Session Keys in addition to the normal Drupal sessid.

Also - On the platform APIs that do use sessions, I can't find any that require cookies. Services module does require cookies. Is this the plan going forward? What is the philosophy behind this? (I am learning :)

Cheers all!

Login or register to post comments

#2

sumitk - June 2, 2008 - 12:25
Version:5.x-1.x-dev» 6.x-1.x-dev
Assigned to:Anonymous» sumitk

I am gonna discuss a bit about OAuth open source protocol ( http://oauth.net ) integration with ServicesAPI
After integration of OAuth to Services -( which is already in progress will be completed in about month )- it will be working same as you discussed above in facebook api
Each authentication with OAuth will provide consumer a time bound token to access data from Service Provider (Drupal site).
As token expires it will again make a request call and if user is already logged in Server(Drupal site) will issue an another access token (same token as issued before time bound = 2hrs.) to consumer
In this way it may act as infinite-token OR a time bound token.

Keep track at http://drupal.org/project/oauth_services

Cheers!!
sumit
www.sumitk.net

Login or register to post comments

#3

heyrocker - November 24, 2009 - 03:56
Status:active» closed

So to clean out this very very old issue, obviously the oAuth integration never happened. I am currently recommending anyone interested in oAuth check out the oauth_common and services_oauth modules. Dave Cohen's Facebook module may also be of some use.

In response to the question about cookies, Drupal requires cookies for login as part of an issue which is a bit too complicated to get into here. Thus we have to. This is really all 'for the record' since I very much doubt that anyone is really following this issue anymore.

Login or register to post comments
 
 

Drupal is a registered trademark of Dries Buytaert.