2009-11-17 23:02

在JSON Web服务中验证和跟踪用户


I have contact management / CRM application used in-house by our company, It is a web based app and thus uses a lot of Ajax. Most of the data is JSON, and the backend server uses PHP with MySQL as the database...

I would like to build a mini Adobe Air version of that, mostly because I can use Drag and Drop file uploads, client side image resizing, client side screenshot creation of uploaded files etc. etc.

Now, because the server side is a glorified JSON data provider, I figure I can adapt it to provide data to the AIR app.

My problem is, how do I handle authentication?
In PHP I use sessions for authentication...
For AIR i figure it will be more like a JSON webservice, where you call a certain URL to access certain JSON data.

After a bit of brainstorming, here is what I came up with:

  1. The user logs in when the AIR app starts
  2. The server returns an unique token on successful login, and stores that token in the DB
  3. The AIR app has to append that token to every request it makes to the server
  4. On every request, the server checks the validity of the token by comparing it to the one stored in the DB.

The questions are,
is there a better way than this?
How long should the token be valid for?
How do i handle clients that close the application without logging out, and without giving me a chance to nullify the token on the server?

If anyone has been in a similar situation, I hope to be enlightened by your answers...


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答


  • doushanmo7024 doushanmo7024 12年前

    How about this:

    1. simply returning the PHP Session ID in your JSON data to the AIR App upon authentication
    2. Your AIR app stores the Session ID and uses it for requests in that session
    3. when your PHP receives request with Session ID, set it to that session ID:
    4. Your session will be maintained easily by PHP and you will be able to use $_SESSION as per normal.

    When you receive a request with Session ID, simply do this:

      // where $_GET['sess_id'] is where you put the Session ID stored in your AIR APP

    This might be better because you drop the need of maintaining Sessions in database.

    点赞 评论 复制链接分享