* Michael Schuerig <michael@...> [2008-06-11 02:30]:
> Authentication information is usually enough.
Then you don’t need to store anything on the server. There is no
need for a session at all. Either use HTTP Auth or, in case you
are talking to a browser, use a cookie like this:
With this scheme, cookies cannot be forged because generating
a correct message hash requires knowledge of the server secret
that is not part of the cookie. So if the client sends you a
cookie whose hash checks out, you know it’s a cookie you minted
and you can therefore trust the username portion of the cookie.
Aside from the server secret, which is easily kept in memory,
you don’t need any information external to the cookie in order
to verify it: no on-disk session.
* Bruno Harbulot <Bruno.Harbulot@...> [2008-06-11 04:45]:
> I think this doesn't contradict the stateless interactions
> principle of REST, as long as the session is only used for
> authentication purposes.
I've come to see pretty URLs as part of a resource-oriented system, although this is not strictly true, of course. That I've been using Ruby on Rails for...
When I want to track a user throughout multiple requests (session) without using a cookie, I use HTTP Authentication. I will point out that most of the time I...
... I think you should start by questioning whether you need sessions in the first place. What data are you storing in them and why does that data not deserve...
... When I have a *user* interface where some resources need authenticated access, then I need some kind of session, don't I? Michael -- Michael Schuerig ...
... Not necessarily. If you want to be purely RESTful, you'd strive to use HTTP authentication for such things, but practically that's tough. Often,...
Hello, ... I agree entirely. Although I'd also prefer authentication mechanisms based on WWW-Authenticate (and related headers), sometimes, it's practically...
... Then you don’t need to store anything on the server. There is no need for a session at all. Either use HTTP Auth or, in case you are talking to a...
... I don't want to use a cookie, that's more or less the whole point of my original message. I know how to get what I want with a cookie, my question is,...
... I'm not sure why you're so against cookies. They usually conflict with the stateless interactions principle, but in this case you have little choice. ... ...
... Bruno, thanks for your extensive reply. I'm not a fervent opponent of cookies and JavaScript, indeed, I'm happily using both of them. The reason for my...
... Ah, I sort of missed that part. How could you possibly do that? The auth information has to be *some*where – either in the URI, or in headers, or in the...
... I spent quite a lot of time on this issue a few months back, determined to not use cookies. I implemented an http basic auth solutionfor parts of the api,...
Michael Schuerig wrote (in ... When you have a user interface in which access to some resources requires authentication (and, presumably, authorization), there...
... Most respondents have apparently understood "session" as meaning server-side conversational state. That's not what I had in mind, I'm quite content with...
Michael- I've had good luck with a two-step page load: the html page is rendered regardless of identity/authorization and is identical for all users (and is...
Michael: Some comments on the HTTP Auth issue: First, HTTP Auth is your best (safest, easiest, most portable) way to identify your users. This is especially...
... Unfortunately, because they are what they are, they are not acceptable. I see your point regarding non-human interaction, but that's a different issue. ......
... As you point out, the only problem with cookies used in a RESTful way (i.e. not identifying server-side conversation state) is that you can't have two...
... Another issue is that some users don't want (allow, trust) cookies. I can't tell how much of a problem this really is, but I know that I get annoyed when I...
... As far as I know, most browsers also effectively perform single-sign on of a single user (for that realm) across tabs and windows with HTTP authentication....
... Then instead of sending 403 with a login page in the body, send 303 with the non-personalised URI in Location. Don’t forget to Vary on whatever header...
Michael Schuerig wrote (in ... Identification of resources is fundamental to the Representational State Transfer. I favor promoting representations to...
... I agree when it comes to non-human requesters, for human beings I'm not convinced. ... Agreed, but that is the state of things, and to my mind it is a ...
... It does matter, even for human users: think of it as "bookmarkable" URLs. Have you ever been on a shopping website, looked at a product, found it...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email