tags:

views:

260

answers:

4
+4  Q: 

How do I make my Web Application stateless yet still do somthing useful?

I've seen this advice...

ideally the web should follow the REST principle and be completely stateless. Therefore a single URL should identify a single resource, without having to keep the navigation history of each user.

...and I read the Wikipedia page http://en.wikipedia.org/wiki/REST and it really sounds good, but I don't get how to actually implement it. I'm working in ASP .NET Webforms NOT MVC.

For example, in the application I am about to build - I need my user to Login before I allow them to do anything. There are a couple of hoops they have to jump through before they are allowed to do much useful - like Accept T's and C's and confirm their basic details are unchanged. Finally they are allowed to do somthing they really want like BuyAProduct!

It seems to me (I come from the HEAVILY stateful world of the Rich client) that I need state to record what they have done and infer from that what they are allowed to do. I don't see how I can support them (say) bookmarking the BuyAProduct URI. When they arrive at the bookmark how do I know if they have logged in and if they agreed to the T's and C's and if they dutifully checked their basic details?

I love the idea of the app being stateless, partly because it seems to completely solve the problem of "What the heck do I do when the user clicks on the Back and Forward buttons?" I don't see how I can still get it to work properly. I feel I am missing somthing really fundamental about this.

+3  A: 

The advice isn't suggesting that the app should be stateless - it's suggesting that the resources in the app should be stateless. That is, a page called "www.mysite.com/resources/123" will always represent the same resource, regardless of which user is accessing it or whether they're logged in or not.

(The fact that you might deny a non-logged-in user access is a separate issue - the point is that the Uri itself doesn't rely on user-specific data to work.)

For example, the kind of sites that break this rule are those where you navigate to a product page, email the Uri to your friend, and on clicking it they see a message along the lines of "I'm sorry, your session has expired" or "This product does not exists" or similar. The reason this happens is because the Uri includes something specific to the user's session on the site, and if a different user tries to use the link (or the same user at a later time), it's no longer valid.

So, you will always still need some form of state for your application, but where that state is implemented is the important factor.

Hope that helps shed a little light!

Dan Puzey  2010-06-10 16:35:18
It would be helpful to note that in some cases, resources are user-specific, so only authorized users would see certain resources and not others. Thus, user-specific interactions are available.
Ryan Riley  2010-06-11 06:58:25
Yes - but the Uri to that resource should remain the same for all users, whether they have access or not. (If this were a REST application, for example, you'd have the Uri return a Http Not Authorised state where relevant, instead of the resource).
Dan Puzey  2010-06-13 13:35:24
+4  A: 

If you want to do Web forms, that's cool. If you want to do REST that's cool too. But please for the love of everything sacred, please don't attempt to adhere to the principles of REST using Web Forms.

Just to clarify this point further, I don't believe webforms is a wise choice for REST because the conceptual model that WebForms is based on is one where you abstract away the web. It was built to emulate the VB development model.

REST embraces HTTP and the distributed nature of web applications. The two approaches are not compatible.

Darrel Miller  2010-06-11 00:01:47
+1 this is like oil and water
Alex James  2010-06-11 00:31:48
No, I think you're wrong, in that the basic principle he's talking about can equally (and *should) be applied to WebForms too: don't put state information in your Uri.
Dan Puzey  2010-06-11 09:02:48
@Dan I think what you meant to say is don't put a reference to server session state in the url. Putting client application state in the URL is a completely restful approach. Regardless, whether the session state is in the URL or is communicated in some other way, like a cookie, session state leads to violation of the REST self-descriptive constraint.
Darrel Miller  2010-06-11 12:48:51
Application state in a Uri is completely contrary to the principles of REST: if *your* Uri to a resource is different to *my* Uri to a resource, that's not a RESTful Uri.
Dan Puzey  2010-06-13 13:34:17
@Dan Once you add a query parameter to an URL you are referring to a different resource. It is not just the path segments that identify the resource.
Darrel Miller  2010-06-13 13:48:41
@Dan In the example http://www.google.com/search?q=rest the search term can be considered application state.
Darrel Miller  2010-06-13 13:51:12
@Dan Here is an even more interesting example: `http://yuml.me/diagram/scruffy/class/[Resource]+1-%3E*[Represenations]`
Darrel Miller  2010-06-13 13:53:01
It could be considered state, but it's not. It doesn't change over time: it's a parameter, an input. It's not state that the application would change over time on behalf of the user.
Dan Puzey  2010-06-14 07:45:40
@Dan I would be very interested if you could point me to some authoritative source that validates your perspective on client application state.
Darrel Miller  2010-06-14 11:22:19
@Darrel I think what Dan is alluding to is this the Richardson Maturity Model: http://code.google.com/p/implementing-rest/wiki/RMM. Yes, you can do that, and yes, you can call it RESTful. But how RESTful is it, really?
Ryan Riley  2010-06-14 22:51:46
Darrel Miller  2010-06-15 01:51:03
A: 

Here's the thing: REST is about stateful communications over a stateless protocol. It's not that REST is stateless. WebForms enables you to retain state between requests. Why is that necessary? It let's you do things like sort items on a list with up/down buttons without having to update the underlying resource with each click. You don't need that. You could just PUT the resource representation so that it looks correct or use JavaScript to edit your representation and then do a PUT at the end once you are satisfied. (Note that I used PUT, not POST. What you are really doing is replacing the representation so that future GETs retrieve the right state.)

WebForms uses POST for everything. You should only POST to a URL when you are creating a new item and don't know where it will live. If you know its url, then you should use PUT to create or replace. If you need intermediary steps for, say, a shopping cart, then you should create resource representations for those intermediary steps. Your browser and server communicate by passing full representations between each other. It's simple request/response message passing.

WebForms doesn't encourage this. You can build RESTful systems in WebForms, but the default model will push you away from it towards a RPC approach. I can think of two ways around this: Front Controller (in which case you should really consider MVC) or using .ashx files for almost everything. The Postback model pretty well obliterates any real hope of doing true REST with real WebForms/.aspx (i.e. PUT and DELETE are always POSTs and thus fail the REST model).

Ryan Riley  2010-06-11 06:55:52
As per RFC2616 POST can be used to send an entity to a processing resource. This does not imply creating of a resource. Creating is only one of the uses of POST. There is no requirement to use PUT and DELETE to be RESTful. See this FAQ https://code.google.com/p/implementing-rest/wiki/FAQ
Darrel Miller  2010-06-11 12:59:48
@Darrel Fair enough. I probably lean too far towards being explicit. The problem I see is that it makes it too easy to explain everything away, which leads back to RPC.
Ryan Riley  2010-06-14 22:49:13
@Darrel What I'm focused on is Level 3 of the Richardson Maturity Model: http://code.google.com/p/implementing-rest/wiki/RMM. Well, maybe level 2. :)
Ryan Riley  2010-06-14 22:52:16
@Ryan Yes, using POST for lots of things can easily lead back to RPC if people don't have clear understanding of the other REST constraints.
Darrel Miller  2010-06-14 23:01:53
A: 

A cookie would seem to be the answer to your question. You can use the the .net authentication provider which will set a cookie, that your application can check for and require the presence for if they're to buy anything.

The thing you want to try and avoid is keeping a state representation of them on the server, aka session cookie. That will make scaling more difficult.

danswain  2010-06-11 08:06:20

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps