On 04/16/2012 11:44 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Geert Jansen"<[email protected]>
To: "Miki Kenneth"<[email protected]>
Cc: "Oved Ourfalli"<[email protected]>, "engine-devel"<[email protected]>, "Eoghan
Glynn"<[email protected]>
Sent: Monday, April 16, 2012 11:34:26 AM
Subject: Re: [Engine-devel] REST session management
On 04/16/2012 10:04 AM, Miki Kenneth wrote:
I Agree on that, although I'm not sure whether it is really needed
to
release the session, rather then rely on timeout.
If we indeed need to provide a way to release the session then I
agree this is the best alternative. But if we don't then it will
make the API to the client more (but not very) complex in that
manner.
>
I would go for both - release mechanism (for proper handling) and
timeout mechanism for garbage collection.
(refer to:
http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authentication)
Agreed we need both. I think that for security purposes, it is
important
to have a "log out" function. That way, client applications can
decide
depending on their local security requirements whether or not it is
acceptable to leave a session open.
So (unless someone objects) let's go for option #2 (using the Prefer header on
each and every request, and release the session once it is not there).
My only objection is that you implement a draft spec and implement a
header without even bothering to register it - or asking if there is
such an identical-purposed header with a different name which may get
registered / is already in use somewhere.
Y.
Thank you,
Oved
Regards,
Geert
_______________________________________________
Engine-devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-devel
_______________________________________________
Engine-devel mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-devel
