If REST applications are supposed to be stateless, how do you manage sessions?

by

The fundamental explanation is:

No client session state on the server.

By stateless it means that the server does not store any state about the client session on the server side.

The client session is stored on the client. The server is stateless means that every server can service any client at any time, there is no session affinity or sticky sessions. The relevant session information is stored on the client and passed to the server as needed.

That does not preclude other services that the web server talks to from maintaining state about business objects such as shopping carts, just not about the client’s current application/session state.

The client’s application state should never be stored on the server, but passed around from the client to every place that needs it.

That is where the ST in REST comes from, State Transfer. You transfer the state around instead of having the server store it. This is the only way to scale to millions of concurrent users. If for no other reason than because millions of sessions is millions of sessions.

The load of session management is amortized across all the clients, the clients store their session state and the servers can service many orders of magnitude or more clients in a stateless fashion.

Even for a service that you think will only need in the 10’s of thousands of concurrent users, you still should make your service stateless. Tens of thousands is still tens of thousands and there will be time and space cost associated with it.

Stateless is how the HTTP protocol and the web in general was designed to operate and is an overall simpler implementation and you have a single code path instead of a bunch of server side logic to maintain a bunch of session state.

There are some very basic implementation principles:

These are principles not implementations, how you meet these principles may vary.

In summary, the five key principles are:

  1. Give every “thing” an ID
  2. Link things together
  3. Use standard methods
  4. Resources with multiple representations
  5. Communicate statelessly

There is nothing about authentication or authorization in the REST dissertation.

Because there is nothing different from authenticating a request that is RESTful from one that is not. Authentication is irrelevant to the RESTful discussion.

Explaining how to create a stateless application for your particular requirements, is too-broad for StackOverflow.

Implementing Authentication and Authorization as it pertains to REST is even more so too-broad and various approaches to implementations are explained in great detail on the internet in general.

Comments asking for help/info on this will/should just be flagged as
No Longer Needed.

More Related Contents:

  1. 400 BAD request HTTP error code meaning?
  2. SOAP vs REST (differences)
  3. How to design RESTful search/filtering? [closed]
  4. Representational state transfer (REST) and Simple Object Access Protocol (SOAP)
  5. HTTP POST with URL query parameters — good idea or not?
  6. REST API Best practice: How to accept list of parameter values as input [closed]
  7. 400 vs 422 response to POST of data
  8. Pagination in a REST web application
  9. When do I use path params vs. query params in a RESTful API?
  10. How to create REST URLs without verbs?
  11. secure api data from calls out of the app
  12. powershell invoke-restmethod multipart/form-data
  13. How to send a message successfully using the new Gmail REST API?
  14. Are there any naming convention guidelines for REST APIs? [closed]
  15. How to expose a RESTful Web Service using Meteor
  16. Rest Standard: Path parameters or Request parameters
  17. Making a PowerShell POST request if a body param starts with ‘@’
  18. How to use object filter with softlayer rest api?
  19. Does Karate DSL Framework have the capability to pass a POST Request as a url encoded format?
  20. Difference between Swagger & HATEOAS
  21. Is That REST API Really RPC? Roy Fielding Seems to Think So
  22. What is the difference between a HTTP-Get and HTTP-POST and why is HTTP-POST weaker in terms of security
  23. How do I get the body of a web request that returned 400 Bad Request from Invoke-RestMethod
  24. Flutter fetched Japanese character from server decoded wrong
  25. HTTP PATCH support in browsers
  26. VSTS use API to set build parameters at queue time
  27. How to do a PUT request with cURL?
  28. ‘Best’ practice for restful POST response
  29. What REST PUT/POST/DELETE calls should return by a convention?
  30. Get/post to RESTful web service

Leave a Comment