2008/5/12 Victor Churchill <victor@???>:
> 2008/5/12 Graham Bleach <graham@???>:
> > If so, you probably just want to use a standard HTTP authentication
> > method. This is pretty simple to configure in apache, for example.
>
> That might just be the solution! For some reason I'd become fixated
> that the arrangement would have to use some mechanism "internal" to
> XML/RSS, so wen I read about '<textinput>' thought that that had to be
> the way.
So, the other option, which I've seen used by Google and Basecamp, is
to give people are "secret" URL, where the authentication takes the
form of some authenitcation token embedded in the URL e.g.
http://www.example.com/rss?auth=acbd18db4cc2f85cedef654fccc4a4d8
This is horribly insecure since URLs were simply never designed to be
secret and are stored all over the place. I believe that this was
workaround for lack of support for forms based authentication in RSS
clients.
My personal preference, for relatively low value data would be:
1) Digest authentication (no plaintext passwords)
2) HTTP auth over HTTPS
3) Plain HTTP auth
4) Authentication tokens in URLs
> Thanks for the lateral thinking - there are times when you ( I ) get
> so far down one particualr train of thought that alternatives get
> overlooked.
Happy to help :)
G
