secure access to a web app from a standalone app

Im missing something simple I think. I have a web app that allows users to enter data. The user need a password to logon- all ok.- works fine.
I want to build a desktop app that now can connect to the web app and download data, but only the data for that desktop.
Whats the best way to do a login from a desktop app to the web app.?
Any Examples?

Ok, first of all, unless you’re using an htmlviewer, the login screen in your web app won’t work for you. The connecting client needs to be able to run JavaScript, and httpSocket is not a browser.

What you can do, is to use HandleURL or HandleSpecialURL and have your desktop app send raw http requests, to which the web app can respond. There you would create a login mechanism whereby the client app sends username and password over ssl, and the app verifies their credentials and returns a string token of some kind, something that is easy to verify. as long as the client app sends that token along with its requests, you know it’s a valid client. You might want to put an expiration date on there too.

FWIW, Travis will be doing a session on building APIs using a web app at XDC in Austin this year.

Thanks Greg, Ill use the handleURL, Ill have to look at how to do SSL
The desktop doesnt need to log into the html side of things, just needs to be able to download data in asecure way.

You should be using https for your app if you’re using a login screen, so ssl should already be in place.

There are many was to do this, but the most common is probably to design a RESTful API and secure it with some kind of API key rather than a user/password combination.

Anyone have a site that gives best practice on creating such an API?
My desktop app just needs to check in a few times a day to download any new data.

My thoughts are-
If my desktop app sends a a request ie userid,date,time,hash

Where the hash is a shared secret password( and the userid, date,time )and the request is only valid for 60 seconds after being sent.

The webAPP checks the hash,and the time , if ok then sends the files.

Should be secure …?

If it’s a one-off request like that, your idea will probably work just fine. Make sure you sufficiently protect the shared secret in your desktop app though. Instead of a constant or a string literal, you may consider a function which returns the result of a function (like a series of chr commands). It’ll make it a little bit harder for prying eyes to figure out your hash.