Ageci token vs PHP

I spent some time figuring out how acegi tokens works and how to use them with Prado in PHP. An acegi token is a hash-key-ish token that you can use to identify yourself with a web service instead of signing on with user-name and password for every page load. The way this works is as follows:

1.) First time, sign in with username and password
2.) Soap server returns a ageci token and sets in in a cookie on the soap client
3.) Grab the token and store it across page requests.
4.) All subsequent calls, set the token in the soap clients cookies.

The token stays the same across the whole session. I’ve experienced two different behaviours when it comes to returning the token. Some services returns the token with each response, while other services only return the token on the first call and sends null in the subsequent calls. There is one exception to the first, and that’s when I encounter soap-faults. The token seems to be null with those no matter what.

It took me some time to get this right. I had never worked with acegi tokens until last week, so I was pretty much blank on the topic. Google didn’t offer much in terms of samples with PHP.

When a user signs on for the first time I connect to the web service in the user login method in the Prado user-manager. I make sure the token is returned and I store it a field in the user object. The token is encrypted, but I do some extra magic to make sure everything is as secure as possible. The token is then serialized and stored with the Prado user object. On page load I make sure to retrieve the token from the current user and set it for the service. This is done in the preRunService method in a custom TApplication class.

It’s been a few days since I got this implemented now, and everything seems to work very well. It’s nice to have the extra layer of security so the user-name and password can be used once and then thrown away.