views:

519

answers:

2

I have a need to create a HttpSession (via cookie) whenever a client invokes a particular UI.

Assumptions:

  • Let's assuming that I'm not going to worry about any deep oAuth-like authentication dance. JESSIONSID cookie impersonation is not an issue for now.
  • The server is tomcat, thus a JSESSIONID cookie is sent down to the client if a new session is created.

Design issues:

  1. I'm grappling with how to design the URI. What is actually the REST resource ? I already have /users and /users/{someuserid}. I wanted to use /auth/login but in one previous SO question, one cited article says that we should not have verbs in the url. I've noticed that even Google makes the same mistake by having https://www.google.com/accounts/OAuthGetRequestToken. So in your opinion, are /auth/login/johndoe (login) and /auth/logout/johndoe (logout) good options ?

UPDATE:

I've changed my design. I'm now thinking of using the URIs /session/johndoe (PUT for login, DELETE for logout). It should still be within the limits of the REST ethos ?

Thanks to all.

+4  A: 

Aren't sessions irrelevant in REST Style Architecture?

http://www.prescod.net/rest/mistakes/

CodeToGlory
In my case, I really need to have a session. Because each session establishment consumes a "considerable" resource in my backend.
Jacques René Mesrine
If you really "need" this session then I suggest you stop trying to make your application RESTful. You will be swimming upstream all the way. Removing "application state" from the server is one of the core constraints of REST.
Darrel Miller
I have no other choice. The webapp is in a servlet container.
Jacques René Mesrine
A: 

I am in the midst of creating a REST endpoint that recognizes sessions. I've standardized on:

It is working well.

Jacques René Mesrine