Custom Authentication

[LiteWait]

Our ASP.Net 2.0 implementation of our services hosts multiple customers each with a different backend system.  And as such, relies upon authentication parameters that are a composition of  customer,user,password,store.  

A client makes an initial RPC "authenticate" method call which:

•  connects to a given customer's (backend) machine
  
•  validates the user/password/store
  
• generates a token, 
  
• stores a client/session information/options for this user in memcached by this token 
  
•  returns the token to the client.  
  

The client in turn uses that token on every service request to identify itself.

Question 1:  How can I implement this same model using ServiceStack custom authentication

Question 2:  Is the best place to bury this token is in a cookie under ServiceStack?  (right now each client method service passes the token as the first method argument ... I know ugh!)

Thanks.

[Arxisos]

I recommend to use request/respons filters (https://github.com/ServiceStack/ServiceStack/wiki/Request-and-response-filters) or filter attributes (https://github.com/ServiceStack/ServiceStack/wiki/Filter-attributes) to validate the token on each call.

It's completely up to you how you send your token to ServiceStack. Cookies or http headers (eg Authentication header) might be a possible solution (you can access the HTTP headers/cookie in your request filter).

Note, please ask future questions on StackOverflow as from today this group is only intended for general discussion about ServiceStack :)

Cheers, 

Steffen