Hi Fabian,
> We thought about having the client send a cookie (I'm cookie-ignorant)
> with each request, and have the resources check that cookie, which
> would 'expire' after a given ammount of time, or when the user
> explicitly states so (there's a Logout button on our UI, which just
> works on IE and FF for now, using a REST-based "logout" technique:
> basically it sends bogus authentication credentials invalidating the
> browser's cached ones). Cookies seem to be accepted as a RESTful way
> of exchanging such "state" information.
>
> This of course, posses another issue, how does the user renew the
> cookie when the session is nearing expiration? Is this handled
> automatically? As I've mentionned above, I'm cookie-ignorant, forgive
> me if I ask nonsense.
It could be renewed with every request send to the server. This is the
same as with sessions.
> Now, REST principles state that the server must not store any
> application state (for example, user sessions), so this seems to
> contradict our (commercially-motivated, agreed) needs.
You could handle this via Servlet API. Than your Restlet application
stays stateless, and you have your session to chek.
best regards
Stephan
------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2683255
