• Post Reply Bookmark Topic Watch Topic
  • New Topic

REST and session management  RSS feed

 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I'm having trouble with session and REST
1. As far as I know, there are two ways to pass around session attributes cookies and URL rewritting if users disable their cookies. we then use httpSession interface to interact/manipulate with those session objects. Is this about right?
2. The only appropriate use of cookies is when storing user authentication token (unless there is another way to do this)
3. cookies violates statelessness? so, what to do?

Thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using cookies or HTTP sessions with a REST WS (or a SOAP WS) would indeed be very unusual. The authentication data should be sent with each request, whether it's the actual credentials or a server-generated token (which is much better than sending the credentials repeatedly). This could either be part of the request body, or via an HTTP header.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, no cookies needed? lets say I want to create an application from scratch, does that mean it's possible not to use cookies at all? I thought cookies is an HTTP header.
Secondly, how do we access the content of http header without httpsession? using HTTP head method?
so, what's the appropriate use of cookies?
thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, no cookies needed?

For a WS, no.

lets say I want to create an application from scratch, does that mean it's possible not to use cookies at all?

Yes.

I thought cookies is an HTTP header.

Correct, but they're optional.

how do we access the content of http header without httpsession? using HTTP head method?

The HttpServletRequest class has methods for accessing HTTP headers. HTTP headers as such have nothing to do with HTTP sessions. The HTTP HEAD method does something else entirely.

what's the appropriate use of cookies?

They're frequently used by web apps to store user-specific information. Often the session ID is stored in them, if sessions are used. Web apps are a different usage scenario than WS, though.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
So, if it's a normal web app, it's perfectly and sensible to use cookies (and when using cookies, HTTPSession is also automatically in play, since they're both inseparable)?
what are the sample case where the use off cookies is recommended in a web application? thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
if it's a normal web app, it's perfectly and sensible to use cookies

It's perfectly normal. Whether it's sensible in any given web app is another question.

and when using cookies, HTTPSession is also automatically in play, since they're both inseparable

No. Cookies can (and generally are) used to implement sessions, but it's perfectly possible to use cookies without having sessions, and it's also possible to have sessions without using cookies.

what are the sample case where the use off cookies is recommended in a web application?

To store user settings, for example. Maybe a site lets you adjust its look (by setting the font size, maybe) - that might be stored in a cookie so that next time you visit, the font size in adjusted from the beginning.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. so, in both WS and webapp, we always use authentication token, never the actual credential itself?
2. referring to point number 1, the said token is always put on HTTP header? because in several links like
http://stackoverflow.com/questions/8463809/customize-the-authorization-http-header
the use of http header to store auth token is not recommended, they recommend cookies instead. could you please
3. I'm still not following how it's possible to use cookies without session and using session without cookies. Could you please give example?
thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
1. so, in both WS and webapp, we always use authentication token, never the actual credential itself?

Initially, for both the credentials would need to be transmitted. For web apps, you'd generally start a session, and only the sessionID would be transmitted. For WS you'd use the token in subsequent calls.

2. referring to point number 1, the said token is always put on HTTP header?

Not always. It can also be part of the HTTP body in some form. Or it could be a cookie (which is also an HTTP header), but I wouldn't use cookies with WS.

3. I'm still not following how it's possible to use cookies without session and using session without cookies.

I think it might be more instructive if you explained why you see a connection between the two.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
okay, so what is the recommended practice for login in webapp? transmitting session ID and store it in cookies? why not also use in web app?thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Using sessions in WS is a bad practice, they should be stateless. What you'd pass to the WS with each call would be a secure token that indicates the WS client was authenticated properly. It could contain more information than "authentication was successful", like an expiration date, and a user ID.
 
David Spades
Ranch Hand
Posts: 348
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
so, in WS, any authentication token and extra information should be stored in cookies? and the service server will read the content of the cookies to do the processing?
and what about in standard web application? what's the best practice in authentication?
thanks
 
Ulf Dittmer
Rancher
Posts: 42972
73
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
As I said before, I wouldn't use cookies for WS. A custom HTTP header would work, or that information could be part of the payload. But cookies would work if you've set your heart on them.

For a web app I would advise to use the standard servlet security approach: http://www.coderanch.com/how-to/java/ServletsFaq#security
 
It is sorta covered in the JavaRanch Style Guide.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!