Home Do sessions really violate RESTfulness?
Reply: 0

Do sessions really violate RESTfulness?

user1706
1#
user1706 Published in June 18, 2018, 5:22 pm

Is using sessions in a RESTful API really violating RESTfulness? I have seen many opinions going either direction, but I'm not convinced that sessions are RESTless. From my point of view:

  • authentication is not prohibited for RESTfulness (otherwise there'd be little use in RESTful services)
  • authentication is done by sending an authentication token in the request, usually the header
  • this authentication token needs to be obtained somehow and may be revoked, in which case it needs to be renewed
  • the authentication token needs to be validated by the server (otherwise it wouldn't be authentication)

So how do sessions violate this?

  • client-side, sessions are realized using cookies
  • cookies are simply an extra HTTP header
  • a session cookie can be obtained and revoked at any time
  • session cookies can have an infinite life time if need be
  • the session id (authentication token) is validated server-side

As such, to the client, a session cookie is exactly the same as any other HTTP header based authentication mechanism, except that it uses the Cookie header instead of the Authorization or some other proprietary header. If there was no session attached to the cookie value server-side, why would that make a difference? The server side implementation does not need to concern the client as long as the server behaves RESTful. As such, cookies by themselves should not make an API RESTless, and sessions are simply cookies to the client.

Are my assumptions wrong? What makes session cookies RESTless?

You need to login account before you can post.

About| Privacy statement| Terms of Service| Advertising| Contact us| Help| Sitemap|
Processed in 0.415484 second(s) , Gzip On .

© 2016 Powered by mzan.com design MATCHINFO