Is the session used for REST authentication?

Question

Is the session used for REST authentication?

Sorry for the noobish question, this is the first time I'm trying to implement a REST interface (in PHP). In any case, due to the fact that the HTTP protocol does not have statelessness, what is the best practice to ensure that:

GET/ /user/{id}/friends

always and only executed by the current authenticated user? Is a session typically used as a REST access restriction method?

+4

authentication rest session

gremo Feb 24 '12 at 23:32

source share

1 answer

Chris eberle · Accepted Answer · 2012-02-24T23:37:51+0000

You can use HTTP sessions, which are nothing more than server-side cookies. They are usually fine, but there have been many reports of session hijacking recently. So my answer, if you are really worried about this, is to use HMAC . This is difficult to configure, but once you can be sure that the message really came from an authenticated user.

Is the session used for REST authentication?

More articles: