ASP.NET MVC: How does one add authentication to RSS Feeds?

Question

I have seen a few examples of how to create RSS feeds using ASP.NET MVC, either by creating an Action or through an HttpHandler.

I need to authenticate feeds and am wondering how this is to be done (and supported by RSS readers rather than just browsing to the page/xml through a browser) and how would authentications differ between an MVC Action or HttpHandler?

Answer 1

and supported by RSS readers rather than just browsing to the page/xml through a browse

I would expect most readers to support typical (basic and digest) authentication. E.g. twitter's feeds require authentication.

Answer 2

There are multiple ways to do it.

The best approach, according to me, is using REST architecture with credentials in either the path or as post-data (1st approach preferred).

1st Approach:

Step1: GET http://www.myserver.com/myfeed.rss/username/query => this should return a random value Step2: GET http://www.myserver.com/myfeed.ress/username/hashed-password => The hashed password expected from the client is hash(<random-value>+<password>).

This will serve two purposes:

1. Original password is never transmitted on the wire
2. Random value ensures that the hash is unique, and hence, cannot be reused.

You may want to set an expiry date/time for the username + random-value combination with other IP related security actions to ensure that session hijack cannot happen.

EDIT:

Use HTTP Handler for the path="myfeed.rss" with verbs="GET" in web.config

Answer 3

the simplest way is to give each client an unique url. so in this case you always will know who is querying the feed.

http://site.com/rss/<some_secret_hash_here>

in other hand - you can use urls with standart user:password pair like:

http://user:password@site.com/rss/blabla.xml

and just parse user:password.

i prefer to use first one.