I am working on web api that should allow user to authorize and authenticate via this services(both SOAP and RESTful services).
Idea is that users should login first via web services, and I would return sessionId to client, and client would use this sessionId in all upcoming request.
On server side, I would check if user provided sessionId, and if yes, I would start new session with this sessionId(off course I would add some protection latter against session hijack, like storing ip adress together with session).
So, to do this I would extend CWebUser, change init() method and add new method called restoreFromSession(), that would be similar like restoreFromCookie method. All this sound good, but the problem is that I planned that sessionId to be sent via Rest or SOAP content, so it need to be parsed, and to extract this parameter, and that happen after WebUser component is initialized, and it should be before, because session_id, must be set before session_start(or Yii::app()->getSession()->open()).
I could solve this issue, but it looks like it will require many modifications, so maybe my approach is wrong.
So, my finall question is, can somebody suggest better idea, how to authenticate/authorized users for accessing web api?