I am working on builing an API and application section on a social network so it will be something like myspace, facebook, hi5, friendster, netlog, and many other’s have application section, they all use a REST server method and most of them will issue a api key and secret to each application developed. The person who builds the app will pass the api key and a user signature that is created with a hashing algorithm based on the user’s ID who is using the app and the apps’ API key. The applications code should set a cookie with some information like user id and signature and time. So on my server end the REST part should I just build the signature the same way the app does, check to make sure they are the same, if they are I send the correct data back. My concern is, how do I make sure a developer does not set a user’s cookie to keep them authenticated for a long time, should I compare the time the users signature was created and if it is like a day old then I will send a bad response back from the REST?

When a user first add’s an application from my main site, I will load the application site into an iframe and I will pass in user ID and other fields where I include the iframe so the application can use GET to initially get the information it needs to set it’s cookie.

If you can help on this issue I would appreciate it, does it sound like I am in the right direction so far?

BTW I am using PHp/MySQL