I have a Rails 2.3.x app that implements the act_as_authentic in User model and a UserSession model as per Authlogic Github example. I am implementing an API to allow access from iPhone. Will be using HTTP Basic authentication via https (will not implement single access token). Each API call requires a username/password for the access.

I am able to access the API by calling http://username:password@localhost:3000/books.xml for example. Authlogic will not persist if using the single access token. But I am using HTTP Basic which I think Authlogic will create session for the API calls, which is not used for my API methods. So for each API call I made, new session object is created. Thus appear to me that this would load up the server resource pretty quickly. Sounds like a bad idea.

The alternative is to use the Rails authenticate_or_request_with_http_basic for API controllers. Example adding a before_filter:

def require_http_auth_user
    authenticate_or_request_with_http_basic do |username, password|
      if @current_user = User.find_by_email(username) 
        @current_user.valid_password?(password)
      else
        false
      end
    end
 end

This will bypass the Authlogic UserSession and just use the User model. But this will involve using separate authentication codes in the app.

Anyone has any comments and can share their experience? Thanks