I have asked a few questions on here before about various things relating to this but this is more of a consolidation question as I would like to check I have got the gist of everything.

I am in the middle of developing a social media web app and although I have a lot of experience coding in Java and in PHP I am trying things a bit different this time. I have modularised each component of the application. So for example one component of the application allows users to private message each other and I have split this off into its own private messaging service. I have also created a user data service the purpose of which is to return data about the user for example their name, address, age etc etc from the database. Their is also another service, the friends service, which will work off the neo4j database to create a social graph. My reason for doing all this is to allow me up to update seperate modules when I need to - so while they mostly all run off MySQL right now I could move one to Cassandra later if I thought it approriate.

The actual code of the web app is really just used for the final construction. The modules behind it dont really follow any strict REST or SOAP protocol. Basically each method on our API is turned into a PHP procedural script. This then may make calls to other back-end code which tends to be OO. The web app makes CURL requests to these pages and POSTs data to them or GETs data from them. These pages then return JSON where data is required.

I'm still a little mixed up about how I actually identify which user is logged in at that moment. Do I just use sessions for that? Like if we called the get-messages.php script which equates to the getMessages() method for that user - returning all the private messages for that user - how would the back-end code know which user it is as posting the users ID to the script would not be secure. Anyone could do that and get all the messages. So I thought I would use sessions for it. Am I correct on this?

Can anyone spot any other problems with what I am doing here?


Accepted Answer

What you're creating sounds a lot like any other REST interface, such as the Twitter API. In that case, you might consider looking at how those APIs handle user sessions.

Typically there is some sort of handshake process that gives the client a user token, and the client uses that token to get data from the API so long as that session is active.

So in this case you'd have to develop the interface for generating a user token and have then have the backend manage those sessions. For your various interfaces like get-messages.php you'd probably take something like $userToken as a $_GET or $_POST variable and validate it against your database of active user sessions.

Written by editor
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki