tags:

views:

267

answers:

3
+5  Q: 

REST: Keeping track after the back button

I want to write a web app order system using the REST methodology for the first time. I understand the concept of the "message id" when things get posted to a page but this scenario comes up. Once a user posts to the web app, you can keep track of their state with an id attached to the URI but what happens if they hit the back button of the browser to the entry point of the app when they didn't have any id? They then lose their state in the transaction.

I know you can always give them a cookie but you can't do that if they have cookies turned off and, worst case thinking here, they also have javascript turned off.

Now, I understand the answer may be "Yes, that's what will happen", that's the end of the story, and I can live with that but, being new to this, is there something I'm missing?

+4  A: 

REST doesn't really have states server-side; you simply point to resources. User sessions aren't tracked; instead cookies are used to track application state. However, if you find that you really do need session state, then you are going to have to break REST and track it on the server.

A few things to consider:

  • How many of your users have cookies disabled anyway? How many even know how to do that?
  • Is it really likely that your users will have JS turned off? If so, how will you accomplish PUT (edit) and DELETE (delete) without AJAX?

EDIT: Since you do not want to force cookies and JavaScript, then you cannot have a truly RESTful system. But you can somewhat fake it. You are going to need to track a user server-side. You could do this with a session object, as found in your language/framework of choice or by adding a field to the database for whatever you want to know. Of course, when the user hits the back button, they will likely be going to a cached page. If that's not OK, then you will need to modify the headers to disallow caching. Basically, it gets more complicated if you don't use cookies, but not unmanageable.

What about the missing PUT and DELETE HTTP methods? You can fake those with POSTs and a hidden parameter specifying whether or not you are making something new, editing something, or deleting a record. The GET shouldn't really change.

geowa4  2009-08-25 12:55:23
You are correct and my newness to REST shows in how I used the terms. I'm aware of pointing to resources but concerned about what to do should cookies and/or javascript be unavailable. I didn't want to make it "required" only to find out later that wasn't necessary.
Rob  2009-08-25 13:11:23
@Rob: added edit, hope it's helpful.
geowa4  2009-08-25 15:07:20
Yes, very much so. You may have answered my question "Am I missing something?". I'm not trying to force NOT using cookies and javascript. I'm concerned about those users that may have it turned off. More as a "what if" situation.My next step is to consider what can be stored in cookies to keep this RESTful.
Rob  2009-08-25 15:29:29
I don't get it. What do JS and cookies have to do with a RESTful system?
 2009-08-25 16:16:49
@lutz,That's part of my question and, if you know the answer, please give it. Specifically about coookies. Once the user enters a RESTful application from the homepage, let's say, and places an order by accessing different resources, what happens if the user should use the back button and returns to the original home page and starting anew (though thinking he's in the same session)? Is losing all previous orders a given at that point if you don't give the user a cookie?
Rob  2009-08-25 16:23:53
Or is each and every link on the home page pointing to a unique resource for that one user?
Rob  2009-08-25 16:25:58
You lost me again. What do you mean by "RESTful application" and by "accessing different resources"? Could you please describe in more detail the actors and the use cases of your planned system?
 2009-08-25 16:37:58
@Rob: Each URL points to a resource. Your HTTP method determines the action taken upon that resource. You know the user, via cookies or session, so you can do something special for that user and that resource. Cookies and session will not disappear when the back button is used, so you have persistence in that regard. Cookies can even keep someone logged in over many sessions.
geowa4  2009-08-25 16:46:16
@geowa4,Thank you. You answered the question.
Rob  2009-08-25 17:59:44
"You know the user, via cookies or session, so you can do something special for that user" That is absolutely not RESTful. In a RESTful system, I should be able to copy the link in the address bar and email it someone and they should see the same thing as me, assuming they have the permission.
Darrel Miller  2009-08-25 18:20:00
@geowa4 "Instead cookies are used" Where did you get this from? Cookies should not be used to track session state in RESTFul systems. Here is what Roy has to say about cookies http://tech.groups.yahoo.com/group/rest-discuss/message/3583
Darrel Miller  2009-08-25 18:25:35
All I keep hearing is people saying you don't need/shouldn't do but no one has as yet stated what you should do.
Rob  2009-08-25 19:34:03
@Daniel: so how do you keep a user logged in? how do you maintain any other application state? and i never said that the cookies maintain server state, they should only act as an identifier that doesn't give away attack-worthy information. if you actually read/understand the article, then you know that cookies are ok if not used to store server state.
geowa4  2009-08-25 20:58:16
@geowa4 Why do you need to keep a user logged in? The client is more than capable of managing application state without relying on the server. Cookies should maintain an identifier to what? Roy suggest that cookies could be used to maintain user preferences at the expense of scalability. He does not say what you are suggesting.
Darrel Miller  2009-08-27 13:23:13
@Rob If you want to develop a RESTful system, don't use cookies. As a first step, authenticate the user on every request. You can do performance optimization later if it is needed. Maintain the users current state by embedding data and hyperlinks into the representation returned to the client.
Darrel Miller  2009-08-27 13:28:44
@Darrel: you don't keep a user logged in server-side, you keep him logged in with credentials on the client. it seems that we are speaking the same thing in different words. however, putting user identifiers in a url is asking for trouble. i'll just figure out what the url is for your identifier and spoof you. cookies can at least expire.
geowa4  2009-08-27 13:56:30
Yes, that's where my confusion with everything is. How do you authenticate without cookies or a login procedure with every access.
Rob  2009-08-28 13:36:14
you could pass appropriate credentials in the request headers from the client.
geowa4  2009-08-28 14:16:38
A: 

It is true that the "S" in REST stands for "state" and the "T" for "transfer". But the state is is kept on the client, not on the server. The client always hast all information necessary to decide for himself in whicht direction he wants to change the state.

The way you describe it, your system is not restful.

 2009-08-25 13:01:49
This doesn't really answer the question.
unforgiven3  2009-08-25 13:16:21
The question is a -1 as far as REST is concerned, so my answer is quite accurate.
 2009-08-25 13:17:13
Please don't shout. Thank you.
 2009-08-25 13:22:48
There is no REST question here. If you can, please give an answer.
 2009-08-25 13:23:24
I'm sorry, but how isn't there a REST question here? He is trying to write a REST system, he doesn't understand a good portion of it, and is looking for clarification. Where is the absence of a REST question?
unforgiven3  2009-08-25 13:25:21
Since he doesn't understand what REST is, perhaps REST isn't what he wants.
Wahnfrieden  2009-08-25 14:41:41
+2  A: 

The answer is that your application (in a REST scenario) simply doesn't keep track of what happens. All state is managed by the client, and state transitions are effected through URI navigation. The "State Transfer" part of REST refers to client navigation to new URIs which are new states.

A URI accessed with GET is effectively a read-only operation as per both the HTTP spec and the REST methodology. That means if the client "backs up" to some previous URI, "the worst" that happens is another GET is made and more data is loaded.

Let's say the client does this (using highly simplified pseudo-HTTP)...

GET //site.com/product/123

This retrieves information (or maybe a page) about product ID 123, which presumably includes a reference to a URI which can be used to POST that item into the user's shopping cart. So the user decides to buy the item. Again, it's oversimplified but:

POST //site.com/shoppingcart/ {productid = 123}

The return from this might be a representation of the shopping cart, or a reference to the added item (which could be used on the shoppingcart URI with DELETE to remove the item again), or a variety of other things (such as deeper XML describing the cart contents with other URIs pointing to the cart items and back to the original products). It's all up to you.

But the "state" is defined by whatever the client is doing. It isn't tracked on the server at all, although you will certainly keep a copy of his shopping cart contents in your database for some period of time. (I once returned to a website two years later and my shopping cart items were still there...) But it's up to him to keep track of the ID. To your server app it's just another record, presumably with some kind of expiration.

In this way you don't need cookies, and javascript is entirely dependent on the client implementation. It's difficult to build a decent REST client without script -- you could probably build something with XSLT and only return XML from the server, but that's probably more pain than anyone needs.

The starting point is to really understand REST, then design the system, then build it. It definitely doesn't lend itself to building it on the fly like most other systems do (right or wrong).

This is an excellent article that gives you a fairly "pure" look at REST without getting too abstract and without bogging you down with code:

http://www.infoq.com/articles/subbu-allamaraju-rest

McGuireV10  2009-08-28 00:23:00
You bring up a scenario I'm confused about. If you returned to that cart two years later, how did the web site know it was you and not someone else without using cookies? You didn't say you had to login with a name/password so did you? Or are you saying the client is responsible for their own cart and if an outsider gets hold of the URI, it's not our fault? I'm just in a fog at that point because I can't find anything that talks of this (haven't read your article reference yet).If a client has a URI to a form containing an order, how does the site prevent anyone from modifying it?
Rob  2009-08-28 13:32:40
That was just an aside, but yes, I did login -- that wasn't a REST system, and it did use cookies, although mine had expired. I was simply referring to an amusing example of long-term expiry of shopping cart data. But security and authentication are not a concern of the pure REST concept. Essentially the client supplies credentials with every call, but how is up to the API. It appears that the most obvious and simple solution is SSL plus HTTP basic auth (which is good enough for online banking, after all).
McGuireV10  2009-08-28 13:58:30
Note that REST could still be used to create an anonymous shopping cart (no login), but it would only be accessible as long as the client knew the URI to the cart ID. By definition the client could save this URI and access it later (e.g. bookmark it), so it isn't correct to think of this as a sort of poor-man's session, but it's similar to that. But if the user or client didn't store the URI, then it would essentially become orphaned data if it wasn't associated with a login (and hopefully, would eventually be aged off the table).
McGuireV10  2009-08-28 14:08:12
That's a bit of an AHA! moment for me and the first time anyone "admitted" to needing a login or authentication of any sort. I had always thought it must be done but, until someone says so, there was some uncertainty. Thank you.
Rob  2009-08-28 15:00:36

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.