Discussion:
"Persistent" Login. How "just works" without authentication?
Jerry Krinock
2007-09-06 00:57:56 UTC
Permalink
Hi,

For an experiment, I've set up two del.icio.us accounts. Here's what
I see in Mac OS X:

1. Log in to del.icio.us with Safari with myAccount1.
2. Log in to del.icio.us with Safari with myAccount2.
2. Quit Safari.
3. Delete all the del.icio.us cookies from shared
NSHTTPCookieStorage.
4. Wait 10 seconds or more.
5. Re-launch Safari
6. Browse to http://del.icio.us/myAccount1.
Result: myAccount1 bookmarks appear. No authentication
required.
7. Browse to http://del.icio.us/myAccount2.
Result: myAccount2 bookmarks appear. No authentication
required.

I believe that the Apple URL Loading System is overly magical in the
way it handles authentications, but with other domains, this requires
secure cookies. If someone could give me the del.icio.us perspective
on how the above magic might be happening without cookies, I'd really
appreciate it.

My problem is that the API methods do not pass a username value.
Therefore, if a user has active "persistent" logins like this with
more than one account, API messages always connect to the first-
logged-in account. I need a way for the API to connect to a
particular account which I specify.

Thanks very much,

Jerry Krinock
joshuaschachter
2007-09-06 01:02:35 UTC
Permalink
a) does it actually say you're logged in in the upper right hand side?
b) the API uses http auth, not cookies.
Post by Jerry Krinock
Hi,
For an experiment, I've set up two del.icio.us accounts. Here's what
1. Log in to del.icio.us with Safari with myAccount1.
2. Log in to del.icio.us with Safari with myAccount2.
2. Quit Safari.
3. Delete all the del.icio.us cookies from shared
NSHTTPCookieStorage.
4. Wait 10 seconds or more.
5. Re-launch Safari
6. Browse to http://del.icio.us/myAccount1.
Result: myAccount1 bookmarks appear. No authentication
required.
7. Browse to http://del.icio.us/myAccount2.
Result: myAccount2 bookmarks appear. No authentication
required.
I believe that the Apple URL Loading System is overly magical in the
way it handles authentications, but with other domains, this requires
secure cookies. If someone could give me the del.icio.us perspective
on how the above magic might be happening without cookies, I'd really
appreciate it.
My problem is that the API methods do not pass a username value.
Therefore, if a user has active "persistent" logins like this with
more than one account, API messages always connect to the first-
logged-in account. I need a way for the API to connect to a
particular account which I specify.
Thanks very much,
Jerry Krinock
Jerry Krinock
2007-09-06 01:11:03 UTC
Permalink
Post by joshuaschachter
a) does it actually say you're logged in in the upper right hand side?
b) the API uses http auth, not cookies.
Ah, my mistake. It says "log in" on the right side, and if I try to
use my bookmarklet, I'm asked to log in. (You see, I am new to
"social" bookmarking. I forgot that my bookmarks are public.)

So, forget my experiment. But how about my question regarding the
API. How do I specify the account, if it doesn't give me a challenge?

Thanks Josh,

Jerry
joshuaschachter
2007-09-06 01:14:54 UTC
Permalink
What is the "it" that isn't giving you a challenge?

HTTP Auth requires you to specify a username and a password.
Post by Jerry Krinock
Post by joshuaschachter
a) does it actually say you're logged in in the upper right hand side?
b) the API uses http auth, not cookies.
Ah, my mistake. It says "log in" on the right side, and if I try to
use my bookmarklet, I'm asked to log in. (You see, I am new to
"social" bookmarking. I forgot that my bookmarks are public.)
So, forget my experiment. But how about my question regarding the
API. How do I specify the account, if it doesn't give me a challenge?
Thanks Josh,
Jerry
Jerry Krinock
2007-09-06 01:26:39 UTC
Permalink
Post by joshuaschachter
What is the "it" that isn't giving you a challenge?
The Apple URL Loading System. (If you've ever used Cocoa, the
problem is that my NSURLConnection delegate does not get a
connection:didReceiveAuthenticationChallenge: message.)

If you can verify for me that del.icio.us challenges each message,
then I know that the URL Loading System must be doing this undesired
magic, answering the challenge behind the scenes for me, with the
wrong answer.
Jerry Krinock
2007-09-06 02:12:19 UTC
Permalink
OK, I solved the problem. It turns out that, besides cookies, the
Apple URL Loading System has another magical cache called
NSURLCredentialStorage that has to be purged. If I learn anything
interesting 'll post it tomorrow, after I get a better understanding
of what I just did.

Thanks, Josh.

Loading...