There's nothing in REST for or against sessions -- that's not its domain. Your higher level app can definitely have sessions.
I do not recommend renewing your cookie for every request to keep the session from expiring. Instead, have your cookie store a session ID, and maintain a session table on your server (via a memory DB or persistent, as you prefer). You can update the session expiration per hit you get on resources within the session. This is standard practice for web applications: even if they are not overtly RESTful, then need to use HTTP. :) Where this can affect REST is your URI space: sessions end up being resources. For example, you might allow a superuser access to a resource which lets them list all open sessions, and then perhaps query session data (GET) and logging out sessions (DELETE). It's quite rare for me to write a RESTful service that does not have some kind of sessions. -Tal On 11/19/2010 10:53 AM, Fabian Mandelbaum wrote: > Hello there, > > We're currently facing a dillema with our REST application. Since we > sell accounts for this application, we'd need a way to limit the > concurrent number of users using an account. It happens that we sell > one account and have many users use the authentication credentials of > that account. > > Now, REST principles state that the server must not store any > application state (for example, user sessions), so this seems to > contradict our (commercially-motivated, agreed) needs. > > We thought about having the client send a cookie (I'm cookie-ignorant) > with each request, and have the resources check that cookie, which > would 'expire' after a given ammount of time, or when the user > explicitly states so (there's a Logout button on our UI, which just > works on IE and FF for now, using a REST-based "logout" technique: > basically it sends bogus authentication credentials invalidating the > browser's cached ones). Cookies seem to be accepted as a RESTful way > of exchanging such "state" information. > > This of course, posses another issue, how does the user renew the > cookie when the session is nearing expiration? Is this handled > automatically? As I've mentionned above, I'm cookie-ignorant, forgive > me if I ask nonsense. > > How did you solve this issue on your REST(let) applications? Any > examples I can take a look at? > > Thanks in advance for your answers. > ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2683498
