Hello there, We're currently facing a dillema with our REST application. Since we sell accounts for this application, we'd need a way to limit the concurrent number of users using an account. It happens that we sell one account and have many users use the authentication credentials of that account.
Now, REST principles state that the server must not store any application state (for example, user sessions), so this seems to contradict our (commercially-motivated, agreed) needs. We thought about having the client send a cookie (I'm cookie-ignorant) with each request, and have the resources check that cookie, which would 'expire' after a given ammount of time, or when the user explicitly states so (there's a Logout button on our UI, which just works on IE and FF for now, using a REST-based "logout" technique: basically it sends bogus authentication credentials invalidating the browser's cached ones). Cookies seem to be accepted as a RESTful way of exchanging such "state" information. This of course, posses another issue, how does the user renew the cookie when the session is nearing expiration? Is this handled automatically? As I've mentionned above, I'm cookie-ignorant, forgive me if I ask nonsense. How did you solve this issue on your REST(let) applications? Any examples I can take a look at? Thanks in advance for your answers. -- Fabián Mandelbaum IS Engineer ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2683227
