All geek questions in one place

REST Statelessness and User Session in Web Services

I want to develop a REST API. REST rules state that the state should not be stored on the server side. But the REST methods that I want to implement involve user connection control. To respect statelessness, do I need to provide user credentials in every request of the REST method? I find this rather ineffective ... Is there any other more efficient way?

+4
source share
2 answers

Statelessness is one of the main limitations of the REST architecture, which can be read in the original publication:

5.1.3 stateless

Then we add a restriction on client-server interaction: the connection must be inactive by nature, as in the client-stateless server (CSS) style of section 3.4.3 (Figure 5-3), so that each request from the client to the server should contain all the information required to understand the request, and cannot use any stored context on the server. Therefore, the state of the session is completely saved on the client.

So, for the credentials you mentioned, you must provide them in each call separately (for example, Basic Auth + SSL). Of course, this was the "real world", and applications are starting to vary. You can also use OAuth, fixed tokens, etc., but remember that then you weaken the "RESTfulness" of your API.

+7
source

Authentication for each request does not necessarily require a username and password for each request. Some systems take a username and password, verify it, and then create a security token that can be transmitted for each request.

The idea is that the token should be authenticated faster than performing a full verification of the user's password. Obviously, depending on how complex the generation and verification of the token is, you can open other security holes, but you must decide how important this is.

+3
source

Source: https://habr.com/ru/post/1334755/

More articles:


All Articles