I read this article on authenticating an API key using Symfony:
http://symfony.com/doc/current/cookbook/security/api_key_authentication.html
It explains the authentication part well, but doesn't seem to explain how the state between requests works outside of a regular session.
But in some situations (for example, an OAuth stream), a token can be sent for only one request. In this case, you will want to authenticate the user and save this authentication in the session so that the user is automatically registered for each subsequent request.
This makes sense, but how does the user access the session with subsequent requests if the token is provided only on the first? I cannot use session cookies because CORS restrictions will not allow me.
What I'm mostly trying to achieve is an API with which I can get the credentials for the POST login in exchange for an access token that allows me to associate requests with the session.
Can someone help fill in some gaps or suggest a better way to do this?
source
share