originally posted in:BungieNetPlatform
If you use curl for making one request you should use it for all of them to keep track of all the cookies. You should set the CURLOPT_COOKIEFILE and CURLOPT_COOKIEJAR values to the/a file to store them and use the same file whenever you make a request. Think of a cookie file as an incognito browsing session if that helps. I'd also recommend [i]not[/i] using streams in this scenario because you'll inevitably need to deal with managing all the cookies, encoding them, and putting the cookie string in the header for each request - cURL does that for you.
Don't forget to add the x-csrf header to your requests with the value of the bungled cookie as the value for the that header.
English
-
I got this working, but since i'll need to store the cookie server side with CURL i'll have to append the session ID to the cookie name so each user gets a unique cookie. Do you guys put warnings in your login that your passing the users username and password to your server via POST?
-
No, because you shouldn't be handling their username and password combination. I realise you do need them to make [more] use of the API, but this should be completely hands-off from third parties.
-
So we should NOT be authenticating users?
-
Not as a third party, no. Obviously it's technically possible as you're saying, but it's essentially a man in the middle attack, and that problem is only exacerbated if your server isn't SSL/TLS-enabled. I would also have to assume Microsoft and Sony (not to mention Bungie) would not be happy you were doing that with their user's information, either.
-
If that's the case then all of these efforts are futile. Hopefully they pull their head out of their asses and make certain public that don't have to be private.