http://var-log-mind.disqus.com/Dhananjay Nene’s free (as in free speech) opinions on all things related to Software EngineeringenTue, 09 Jun 2009 16:27:23 -0000http://blog.dhananjaynene.com/2008/11/rest-fomenting-unrest-is-restfulness-a-semantics-game-why-does-rest-require-statelessness/#comment-442489656<p>Of course there is state in the server - it would be a very boring application otherwise! Its the communication that needs to be stateless, a principle that's violated by the use of cookies (and by some uses of headers also).</p><p>Pragmatically though, I think security has to be an exception to this, but hopefully one that's made as transparent as possible to the application protocol.</p>Mike BurrowsTue, 09 Jun 2009 16:27:23 -0000http://blog.dhananjaynene.com/2008/11/rest-fomenting-unrest-is-restfulness-a-semantics-game-why-does-rest-require-statelessness/#comment-442489621<p>REST is stateless, meaning there is no session state tied to a particular client stored on the server. Session id / authorization token is something that you may not want to pass on as a part of the URI. I think the authentication part belongs to the header area.</p><p>Standard authentication mechanisms like Http Auth, OAuth can help achieve this. Another way of achieving this is by using cookies. The tricky thing with cookie is to make sure that the server validate the cookie with out session state. I read this piece recently on using digest with cookies on the REST-discuss group: <a href="http://tech.groups.yahoo.com/group/rest-discuss/message/10909" rel="nofollow noopener" target="_blank" title="http://tech.groups.yahoo.com/group/rest-discuss/message/10909">http://tech.groups.yahoo.co...</a></p>Surya SuravarapuSat, 04 Apr 2009 02:04:13 -0000http://blog.dhananjaynene.com/2008/11/rest-fomenting-unrest-is-restfulness-a-semantics-game-why-does-rest-require-statelessness/#comment-442489627<blockquote>If you are providing a REST api then session id is not required.</blockquote><p> Agreed in principle. But the way I read REST, a purist approach would completely abhor session id, since that id typically is linked to some state on the server.</p><p></p><blockquote>There are many ways how we can implement a pure REST api for this particular case study. Eg. implementing REST version of oAuth to minimize sending critical info all the time and using smaller access tokens.</blockquote><p> Interesting. Would an oAuth access token be considered a id or a resource ? Not sure.</p>Dhananjay NeneFri, 03 Apr 2009 21:53:28 -0000http://blog.dhananjaynene.com/2008/11/rest-fomenting-unrest-is-restfulness-a-semantics-game-why-does-rest-require-statelessness/#comment-442489640<p>First of all I am not sure if seesion id is required. If you are providing a REST api then session id is not required. There are many ways how we can implement a pure REST api for this particular case study. Eg. implementing REST version of oAuth to minimize sending critical info all the time and using smaller access tokens. But that is not the point.<br>Point you have raised is correct, sometimes being creator of a technology or architecture style (in this case) we tend to be too rigid about rules and regulation. the best we not so REST api providers can do is call it REST99 (99.9% pure REST) and leave it there.</p>Sushrut BidwaiFri, 03 Apr 2009 20:00:29 -0000http://blog.dhananjaynene.com/2008/11/rest-fomenting-unrest-is-restfulness-a-semantics-game-why-does-rest-require-statelessness/#comment-442489605<p>Great article that delves into the practical side of the HATEOS debate. Well done.</p>Mike DavisonFri, 03 Apr 2009 17:49:14 -0000