tags:

views:

640

answers:

4
+5  Q: 

Licenses and sessions the RESTful way

This question crossed my mind after I read this post: “Common REST Mistakes: Sessions are irrelevant”

If sessions are indeed discouraged in a RESTful application. How would you handle licenses in such application. I'm specifically referring to concurrent licenses model and not named licenses. i.e. the customer buys X licenses which means the application may allow up to X users to be logged in simultaneously. Which means that the application must hold a state for current logged in users.

I know I can create a resource called licenses, which will set a cookie or generate a unique ID, and then the client will have to send it with every request. But it's the same as creating a session, right?

If I'll adopt the stateless approach and ask the client to create an authentication token for every request how will the application know when to consume and release license for that client?

Is there an alternative? specifically a more RESTful alternative?

+4  A: 

Let me try to connect the dots for you, assuming I interpreted your question correctly. The link you posted has a valid answer, each request should use a HTTP auth. If you need the concept of licences to maintain a certain state for your user, you can most likely link that to the user. You have a (verified) username to go by. You just need to invoke that controller for each request and save its state. There you have your session.

Cookie input should never be trusted for any critical information, but can be very useful for extra verification like a security token. I think adding a random security token field to your on-site links would be the restful approach to that. It should expire with the 'session', of course.

Aram Verstegen  2009-02-13 09:29:13
When will I invoke release license? to allow another user to log in.I don't want the license to be consumed only for the milliseconds the request actually being processed in the server, but for the whole time the user is active.
LiorH  2009-02-13 09:38:12
That's why you should save the state. The session/license should be destroyed when the user clicks a logout link, or after a timeout. (Which can be a field in the database table, like a timestamp last_login which will get updated to the current timestamp for valid requests.)
Aram Verstegen  2009-02-13 09:46:15
@Aram Verstegen, you said that's why he should save the state, but if he saves the state, doesn't that violate REST principles?
unforgiven3  2009-02-13 15:50:38
Hmm, that's a good question. I think the concept of keeping stateless only applies to HTTP. Whatever you do beyond that is totally up to you.
Aram Verstegen  2009-02-13 16:41:41
+1  A: 

You may want to consider pushing the license handling concerns down the infrastructure stack one level. Sort of like an Aspect Oriented Programming (AOP) approach if you will. Instead of handling it in the application tier, perhaps, you can push it in to the web server tier.

Without knowing the details of your infrastructure, it is hard to give a specific recommendation. Using the *nix platform as an example, the license handling logic can be implemented as a module for Apache HTTP server.

This approach promotes a separation of concerns across your infrastructure stack. It allows each layer to focus on what it is meant to. The application layer does not need to worry about licensing at all, allowing it to focus strictly on content, which in turn keeps the URL's clean and "RESTful".

Steve Levine  2009-02-13 15:09:57
+1  A: 

If your licensing is based on concurrent users, implementing HTTP digest is trivial, and will let you enable only the maximum number of concurrent logins. Digest has provision for passing expiration data so your session can be timed-out.

Authentication state is hold by http authetnication and nowhere else, beause it is transparent and ubiquituous.

serialseb  2009-02-15 09:55:32
A: 

Maybe a more RESTful way of doing licenses would be to limit the rate at which requests are handled, rather than the number of concurrent sessions. Keep track of the number of requests in the last hour, and if it exceeds the number the customer has paid for, serve a 503 Service Unavailable response, along with some text suggesting the user try again later.

Tom Anderson  2010-09-08 18:27:12

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication