Hi Matt,
I've just hit a similar design decision. We're just starting down a route where the session ids is a message parameter.
I'd be curious to know the benefits of doing this at the transport layer.
Here's our situation (similar but different):
- the bulk of our method calls relate to personal data, and need to be traceable to some password authority.
so,
- the client needs to get auth_token at login
- all calls are over HTTPS. A session might be:
auth_token,user_id = login( username, pass )
addAddress( auth_token, user_id, address )
- validates auth_token is owned by the supplied userId.
- prevent a client for tweaking the userId and modifying records for other users.
In our server code I'm expecting that we can easily build a wrapper that performs the following transform:
(1) For each server method: f( auth_token, args... ) -->
{
if !valid( auth_token ) raise rpc_error(auth)
f'( args... ) # call the method,
}
(2) For each server method: f( auth_token, user_id, args... ) -->
{
if !valid_for_user( auth_token, user ) raise rpc_error(auth)
f'( user_id, args, ... ) # call the method,
}
... in order to remove the need to perform auth checks in the body every method call.
(Tiny RPC makes this very easy by using decorators.)
So, we've removed session_ids and can use the auth_token in its place. The auth_token also tracks the session.
My question is, what there benefits to having session IDs (or auth_tokens) visible-to/handled-in the transport layer?
Cheers,
- Stuart