John Craig wrote:
In my case, the user credentials are an app id and a password. They are set up manually, beforehand, to allow any number of app instances running on users' devices to connect and share data. If you want to create actual user accounts through your app and don't want to send plain text then you're going to have to use encryption.
One method Dave Cragg, me, and others have used is a home-grown quasi-HTTPS-like scheme in which the client first handshakes with the server to obtain a token, which is a hash of the IP address, time stamp, and some salt, and that token is used as a key to send the authentication data, after which all other data uses a less derivable method.
While imperfect, and of course no substitute for just using a cert, it keeps the credentials reasonably well protected since hacking it requires both spoofing the IP address of the client and doing so within a limited time frame.
-- Richard Gaskin Fourth World LiveCode training and consulting: http://www.fourthworld.com Webzine for LiveCode developers: http://www.LiveCodeJournal.com Follow me on Twitter: http://twitter.com/FourthWorldSys _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
