Jump to content
Sign in to follow this  
justin nelson

Should the DeleteSession method read the username and session from the headers?

Recommended Posts

Most methods allow you to pass the username and session id in as http headers, but it looks like the DeleteSession method does not allow this. You are forced to pass the username and session ID as url params.

Should this be changed? Or is this [status-by-design]? I like being able to hide the user data in the headers, it feels a little more secure.

Share this post


Link to post
Guest mrdavidlaing

Some background:

The initial design goal was to have the authentication stuff as headers, cause it “felt a little more secure”.

Then we discovered that Flash won’t let you set the headers for GET requests (?!), so we added a “feature” optionally allows the auth stuff to be put as querystring params. On the server side; we intercept requests, scan the querystring for specific values (UserName & Session); and move/overwrite these into headers before passing on for standard processing.

I suspect that we’ve ended up with a bit of a tangle w.r.t deleting a session.

Could you provide some HTTP level detail – what is the exact sequence of HTTP requests responses that fails & works.

Share this post


Link to post
Guest sky.sanders

DeleteSession expects parameters.

Headers are ignored.

This is an aspect of the API that will likely not change in this version.

Share this post


Link to post

Some background:

The initial design goal was to have the authentication stuff as headers, cause it “felt a little more secure”.

Then we discovered that Flash won’t let you set the headers for GET requests (?!), so we added a “feature” optionally allows the auth stuff to be put as querystring params. On the server side; we intercept requests, scan the querystring for specific values (UserName & Session); and move/overwrite these into headers before passing on for standard processing.

I suspect that we’ve ended up with a bit of a tangle w.r.t deleting a session.

Could you provide some HTTP level detail – what is the exact sequence of HTTP requests responses that fails & works.

The delete method works as documented. It is just inconsistent with the other methods.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×