RSS Security Question

[FinallyInSeattle]

I'm new to RSS and have been tasked to write a spec for an RSS
Publishing facility for my client. I'm proposing that the RSS be
rendered on-the-fly for the most up to date results and to also support
RSS feeds of saved searches. My issue is that any of the stored
procedure calls that I have to make to retrieve the necessary
information require a user id. How is this typically handled? What is
the best way to get "user logon" information? In a standard
newsreader, how does this look to the user?

Thanks in advance!

 

[David Hogue]

I'm new to RSS and have been tasked to write a spec for an RSS
Publishing facility for my client. I'm proposing that the RSS be
rendered on-the-fly for the most up to date results and to also support
RSS feeds of saved searches. My issue is that any of the stored
procedure calls that I have to make to retrieve the necessary
information require a user id. How is this typically handled? What is
the best way to get "user logon" information? In a standard
newsreader, how does this look to the user?

Thanks in advance!

Not too long ago I wrote a system that would render rss on-the-fly and
required a user login. In my case it was for podcasts, so I went and
tested a few of the more popular clients. I used a simple rss file and
tweaked the IIS security settings to see what each supported.

Most clients I tested supported http basic and digest authentication. A
few didn't support any authentication and none of them supported forms
authentication. I would expect similar results from more generic
aggregators. The readers that did support authentication would pop up a
username/password dialog when adding the feed or the first time the feed
was updated.

If you just need the user id or name you might be able to pass it in the
url (http://some.random/location.rss?userId=42). This would be fairly
insecure, but if you just wanted it to customize the feed somehow it
might do the trick.