Specification - RETS
Specification - RETS
Specification - RETS
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
S ECTION<br />
0LOGIN TRANSACTION<br />
CHAPTER<br />
A client MUST issue a login request prior to proceeding with any other request. The Login<br />
transaction verifies all login information provided by the user and begins a <strong>RETS</strong> session.<br />
Subsequent session control may be mediated by HTTP cookies or any other method,<br />
though clients are required to support at least session control via HTTP cookies. Section<br />
14 describes the session protocol in detail.<br />
The server’s response to the Login transaction contains the information necessary for a<br />
client to issue other requests. It includes URLs that may be used for other <strong>RETS</strong> requests,<br />
and may also contain identity and parameter information if required by the functions<br />
supported by the server.<br />
4.1 Security<br />
4.1.1 User Authentication<br />
4.1.2 Client Authentication<br />
4.1.3 Data Security<br />
While this specification does not require the use of security — it is permissible, for<br />
example, to operate a publicly-accessible <strong>RETS</strong> server — most operators of <strong>RETS</strong> servers<br />
will wish to authenticate users. A server that requires that users be authenticated MAY<br />
implement RFC 2617, HTTP Authentication. The use of at least digest authentication is<br />
strongly recommended.<br />
Client authentication may be performed through the use of the optional <strong>RETS</strong>-UA-<br />
Authorization header (section 3.4). Prior versions of this specification used a speciallycalculated<br />
cnonce value in the Authorization header to implement this function. A server<br />
implementing this version of the <strong>RETS</strong> specification MUST accept the <strong>RETS</strong>-UA-<br />
Authorization header for client authentication. It MAY accept RFC 2617-style<br />
authentication as in prior versions of the <strong>RETS</strong> specification.<br />
Needs for secure HTTP transactions cannot be met by authentication schemes. For those<br />
needs, HTTP-over-TLS (commonly known as HTTPS) is a more appropriate protocol. A<br />
Version 1.7.2 4-1