If REST applications are supposed to be stateless, how do you manage sessions?

前端 未结 16 1039
既然无缘
既然无缘 2020-11-22 10:23

I\'m in need of some clarification. I\'ve been reading about REST, and building RESTful applications. According to wikipedia, REST itself is defined to be Representation

16条回答
  •  粉色の甜心
    2020-11-22 10:43

    The fundamental explanation is:

    No client session state on the server.

    By stateless it means that the server does not store any state about the client session on the server side.

    The client session is stored on the client. The server is stateless means that every server can service any client at any time, there is no session affinity or sticky sessions. The relevant session information is stored on the client and passed to the server as needed.

    That does not preclude other services that the web server talks to from maintaining state about business objects such as shopping carts, just not about the client's current application/session state.

    The client's application state should never be stored on the server, but passed around from the client to every place that needs it.

    That is where the ST in REST comes from, State Transfer. You transfer the state around instead of having the server store it. This is the only way to scale to millions of concurrent users. If for no other reason than because millions of sessions is millions of sessions.

    The load of session management is amortized across all the clients, the clients store their session state and the servers can service many orders of magnitude or more clients in a stateless fashion.

    Even for a service that you think will only need in the 10's of thousands of concurrent users, you still should make your service stateless. Tens of thousands is still tens of thousands and there will be time and space cost associated with it.

    Stateless is how the HTTP protocol and the web in general was designed to operate and is an overall simpler implementation and you have a single code path instead of a bunch of server side logic to maintain a bunch of session state.

    There are some very basic implementation principles:

    These are principles not implementations, how you meet these principles may vary.

    In summary, the five key principles are:

    1. Give every “thing” an ID
    2. Link things together
    3. Use standard methods
    4. Resources with multiple representations
    5. Communicate statelessly

    There is nothing about authentication or authorization in the REST dissertation.

    Because there is nothing different from authenticating a request that is RESTful from one that is not. Authentication is irrelevant to the RESTful discussion.

    Explaining how to create a stateless application for your particular requirements, is too-broad for StackOverflow.

    Implementing Authentication and Authorization as it pertains to REST is even more so too-broad and various approaches to implementations are explained in great detail on the internet in general.

    Comments asking for help/info on this will/should just be flagged as No Longer Needed.

提交回复
热议问题