1

I'm trying to create a web service which utilizes Zend framework. The API is REST based and uses Zend_Rest_Controller as base class. I wish to have user management and session, and for that I'm using the following code: Login (POST) 

// user id and password fetched first

$users = new Application_Model_DbTable_UserInfo();
$auth = Zend_Auth::getInstance();
$authAdapter = new Zend_Auth_Adapter_DbTable($users->getAdapter(),'users');
$authAdapter->setIdentityColumn('userid')
    ->setCredentialColumn('password');
$authAdapter->setIdentity($userid)
    ->setCredential($pwd);
$result = $auth->authenticate($authAdapter);
if($result->isValid()){
    Zend_Session::rememberMe(604800);
    $storage = new Zend_Auth_Storage_Session();
    $usa = $authAdapter->getResultRowObject();
            $auth->getStorage()->write($usa);
    $authSession = new Zend_Session_Namespace('Zend_Auth');
    $authSession->setExpirationSeconds(60*60);            
}

and when accessing the service with e.g. some GET method I wish to check that there is a valid session with the following code:

$auth = Zend_Auth::getInstance();       
if(!$auth->hasIdentity())
{
    // error handling etc.
}

I never get an identity, hence the service doesn't work.

I have followed the guidance for ZF authentication quite strictly, but does the REST stuff need additional items to be taken into account?

richsage
  • 26,912
  • 8
  • 58
  • 65
Cam Elote
  • 11
  • 1

1 Answers1

0

I know I'm not answering your question, but if you are REALLY planning to implement a true REST interface (which implies it's going to enable you to scale well), you'd probably better forget about sessions and using Zend_Auth in the way you've depicted above.

Take a look here, where something about REST interfaces and authentication has been discussed already: Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant"

In short, quoting from the Q/A thread above, "To be RESTful, each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP". I really feel like seconding that.

Community
  • 1
  • 1
maraspin
  • 2,353
  • 20
  • 16