SpeakingX

I have been struggling with user authentication for the services module ( 5-x.0.92). This is the first version I installed. However, by checking the handbook and the outdated examples, it's not hard to tell significant change has been made in this version, especially the user authentication part which requires api keys, HMAC with sha256 hashing function, etc.
I followed http://drupal.org/node/308629 and created a solution in VC# express 2008, but it doesn't work. it seems it fails at system.connect, and the error is "response contains struct value with missing non-optional member: sessionid [response : struct mapped to type Drupal]"

I also created a Java project following that example, but got "Exception in thread "main" redstone.xmlrpc.XmlRpcFault: Invalid API key."

By digging into the module source code, I finally figured out there's nothing wrong in my Java code. It's because I didn't supply a domain name for the generated API key.

These extra security stuff seems be hastily written as there appears to be an obvious bug. In services_admin_browse.inc, the hash calculation doesn't match that in services.module.
hash_hmac("sha256", $timestamp . $_SERVER['HTTP_HOST'] . $nonce . arg(4), services_admin_browse_get_first_key()))
This can be verified by entering a user name and password at the service admin page of user.login