Re: [rest-discuss] REST, HTTP, Sessions and Cookies
> Any application of cookies breaks REST, because they are by definition
> stateful, and all REST interactions are stateless. That doesn't mean
> they don't have their uses, of course. But there other ways of doing
> "sessions" statelessly, and doing them statefully is not REST.
That concept tends to be a little confusing, partly because HTTP,
like many network protocols, has a notion of stateless interactions
that only refers to having all of the information needed to
understand each request inside the request or defined by universal
standard. REST goes further and constrains application state
(not resource state) to be held on the client. It is hard to
describe without further defining what "application" means, but
we can think of it as the context between user agent requests:
the server cannot be aware of any such context and still be REST.
This is also what allows individual pages to be bookmarked and
shared with others, but that's a longer story.
The purpose of statelessness is to prevent partial failures and
allow for substrate independence (e.g., load-balanced gateways
managing the traffic for many servers). Cookies don't
necessarily break that because they are inside the request,
unless developers make the mistake of defining the cookie such
that it varies by gateway.
Most of the problems with cookies are due to breaking visibility,
which impacts caching and the hypertext application engine, but
even worse is its use for authentication, as evidenced by the
cross-site-scripting security holes in sites that use it.
It ends up being a weird trade-off of security versus efficiency.
Using cookies is more efficient than authentication because the
server (and intermediaries) will simply ignore cookies for the
vast majority of URI (e.g., inline images). That allows everything
except the pages that set cookies to be cacheable, and those are
typically non-cacheable pages in any case. However, using cookies
in that fashion means the server is relying on security by obscurity
to associate the client's stored cookie with the application state
(attackers ability to guess the cookie or obtain it illegitimately
via XSS). Likewise, keeping state in the cookie means that the
URIs can be independent of the user state, but doing that messes-up
the client's understanding of state as presented by the hypertext
engine: it breaks the "back" button.
Unfortunately, cookies were not presented for discussion by the
community until after they had been deployed and announced as one
of Netscape's infamous "extensions". If they had, then it is more
likely that HTML would have been extended to indicate selectable
items, and browsers could then have developed a client-side
market basket that is more reliable and subject to a fancier UI.
Doing that now is simply a chicken-and-egg problem: browers won't
bother til there is user demand for the feature, and sites won't
offer it as an option until browsers implement it consistently.
Java was supposed to solve that problem, but Sun screwed that up.
Cookies that simply store a reference to server-maintained state
do violate REST's constraint on state being stored on the client,
rather than the server, for scalability. The effect of violating
that constraint can be seen on any site that uses client-sessions
on the back-end, such as is common in J2SE. Such sites are usually
several orders of magnitude less scalable than REST-based
applications, but some folks still prefer it for "personalization".
My experience has been that this is the number one cause of failed
website applications: reliance on server-side sessions.
BTW, "personalization" can be defined as deliberately trading off
scalability for customized content. The advertising folks who took
over the Web design space in 1996 claimed that this was a necessity,
often making it a core component of third-party "evaluations" of
website usability, but if you actually go and talk to the customers
using those sites you will find that they hate it with a passion.
Amazon is the only site that did it well, and it continues to cost
them a fortune in back-end costs.
Following on from the recent thread which discussed modelling a multi page form submission process using REST principles, I'm wondering if there is any place...
... Remember that for web services the existing model is not really broken. It's only really broken in the way browsers work and the way most marketing...
... You misunderstand me. When a user requests a protected resource the server can send back an entity body with the initial 401. The rfc says that the entity...
I have just given a talk about REST to the other techies at my current client (including the man in charge of development). The audience was of mixed ability,...
The sessions issue seems like a Red Herring. You make UI web servers that interact with the web service. They can be as stateful as you want them to be...
... Well, somewhere in the message anyhow. ... I'd say so. ... Yep. Any application of cookies breaks REST, because they are by definition stateful, and all...
... definition ... mean ... doing ... At least three frequently asked questions are contained in that paragraph: 1. Cookies vs REST? 2. Sessions vs REST? 3....
... But on one level are cookies not pieces of state representation that get transferred between client and server? Isn't it just the fact that they 'stick'...
... Not really. Cookies aren't the state, they're "receipts" for the state. e.g. if you login to a web site using cookies, your browser just gets an opaque...
... That concept tends to be a little confusing, partly because HTTP, like many network protocols, has a notion of stateless interactions that only refers to...
Hi Roy, ... Right. Correct me if I'm wrong, but I've always assumed that this additional constraint is a constraint on application semantics. That is, that a...
... Well, keep in mind that the actions of PUT and POST also defer the maintenance of state to the server. Since we could construct a login semantic via the...
Oi, LOGIN was a terrible example. I didn't think it through. What I was trying to learn by asking was this; what am I constrained from doing with the...
... Oh, I see what you mean. If you look back in my dissertation, http://www.ics.uci.edu/~fielding/pubs/dissertation/ net_arch_styles.htm#sec_3_4_3 ...
... Roy> you will notice that there is only one constraint: Roy> communication must be stateless in nature. It is too bad that the theoretic ideals don't map...
... That's the point, really. Where the mapping is problematic, it's not a failing of REST, it's it working as planned; it tells you that your app probably...
... that ... What do you think of the attempts of Paul Prescod and others to cast state-transition models into RESTful hyperlinked resources? For example, ...
... i don't think so. however the reality of contemporary user agents dictates a more pragmatic approach. (IMHO of course). i will take two examples where i...
... But having state on the server is surely fine with REST? ... If you create a 'basket' resource for my shopping on the server, the I'd imagine POST-ing new...
... Yes, for current implementations. Eventually, someone points out the security hole and some poor sap is assigned to make the browser compliant with one or...
... I think that is the answer - the representation of the items that I can buy will contain a pointer to _my_ basket. Thats what I meant when I said I have to...
... yes. the representations generated can differ depending on whether there is a logged in session; e.g. include some HTML form UI which does a POST to the...
... After reading carefully, I'm not sure I can discern any additional constraint in the above. I'm starting with the assumption that without "application...
... Consider that a single LOGIN message may be stateless (semantically self-contained), yet have consequences for the interpretation of the semantics of...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Offline 
Send Email
