NetTalk Central

Author Topic: Cookie or not?  (Read 3078 times)

Wolfgang Orth

  • Sr. Member
  • ****
  • Posts: 251
    • View Profile
    • oData Wolfgang Orth
Cookie or not?
« on: May 29, 2015, 01:22:59 AM »
Hello again!

I am now pondering about the right technique for Client authentification.

On a LAN some Win32-webclients made with Clarion and Nettalk will request data from a SOAP-server.

Because they are all on the same LAN, there is not real need for an authentification. However, there is a need for identification of each client, to send back specific subsets of data. For this "ClientID" the COMPUTERNAME should be sufficient.

The logic here, when the clients has a request for data, is to send the ClientID to the server first. The server then looks up in the list of clients and when this client is know, the server returns an OKAY, YOU ARE ALLOWED, I WILL LISTEN. (sort of thing)

Now the client will send the request. Its a kind of "State-Machine", right?

I expect this to work.

However, its also possible that sending the COMPUTERNAME as ClientID is not sufficient. In this case, the client will have a dialog at Startup, where the user logs into the Client. He then should remain to be logged in permanently, until the user intentionally logs out.

Because of the Stateless Connection the Server knows, whether the requesting client is legit. That means, the client always have to its credentials before each request.

There might be two requests within some minutes, but then nothing for the next three hours.

So I do not worry about the amount of data being pushed back and forth over the LAN, it will not be increasing the noise that much.

What makes me think is the handling of this process. Would it be easier to set a Cookie, once the Client has successfully connected? Such a cookie might be valid for more than just 15 minutes. It could be set to 365 days. And with each start of the Client a new Cookie would be issued, so this client would be eligible all the time. No need for permanent checking.

In short:

Idea 1
Client registers at Server.
IF Server says OKAY, THEN Client sends Request.
Over and over again, with every request.
Idea 2
Client registers at Server.
Client requests are legit, as long as the Cookie exists.

What would be the best technique to solve that?

Or have I maybe forgotten or overlooked something?

Another thought: What, if not a human user is using a Win32-Client, but a machine requesting things every 10 seconds? This will need another server, I think. But in this case a cookie might be the better oiption in general, I think.



Thanks for reading my lengthy thoughts,
Wolfgang