Re: xml-rpc authentication for specific methods
Robert P. Goldman <rpgoldman <at> real-time.com>
2004-08-27 16:07:30 GMT
--- In xml-rpc <at> yahoogroups.com, "Llama_child" <llama_child <at> y...> wrote:
> I've been fiddling with xml-rpc for a while now and totally dig it. I
> have a small problem. Let me explain..
> I have an xml-rpc server written in PHP and a client written in Flash
> MX. I want the server to allow the client to call methods that are
> restricted in access, I basically have a couple of methods I need to
> authenticate users first. I've read that the best way to do this is
> the challenge-authenticate method, which I assume works like thus:
> 1) the client calls the xml-rpc method "getChallenge"
> 2) the server creates a seed, and stores it in a database indexed by
> IP address.
> 3) the client then MD5's the password and seed together and calls the
> restricted method e.g: updateDatabase(seedAndPassword,
> 4) the server grabs the seed from the database (based on IP address)
> and MD5's the seed with the password in the DB, if things are groovy,
> the method then carries on and updates the database with the second
> 5) the seed and IP Address entry is removed from the database
> (ensuring that for each request, the whole Challenge-auth method
> occurs each time; no seed is re-used)
> or should I ride with the "stateless-ness" of xml-rpc and implement
> my server in this manner, or is using cookies seen as "impure"?