{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 女痞 的问题《How to understand “RESTful API is stateless”?》','https://www.manongdao.com/q-1168677.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I heard that RESTful API should be stateless. All state info should be kept on client side.
But when I am issuing ajax call from a web page, I noticed that a session ID cookie is always sent along to server. With that session ID, I can obtain the session object on server. And thus I can get/set some state info in the session.
Does this break the code of being stateless for RESTful API?
ADD 1
(The background of my question is as below.)
I tried to implement a login page by calling a RESTful API to validate username and password.
Each time user attempt to visit a page of my site, a login servlet filter will check the session (this is where the getSession() get called) for that user to see if valid login info exists. If not, login filter will redirect user to the login page.
On the login page, an ajax call is made to a RESTful API on server with username and password. Depend on the return result of that RESTful API, the JavaScript on the page will decide whether let user into my site.
So, in this scenario, I kind of have to use session.
The detailed code is located here: Is this login logic via RESTful call sound?
Simply put: In REST applications, each request must contain all of the information necessary to be understood by the server, rather than be dependent on the server remembering prior requests.
Storing session state on the server violates the stateless constraint of the REST architecture. So the session state must be handled entirely by the client.
Keep reading for more details.
The session state
Traditional web applications use remote sessions. In this approach, the application state is kept entirely on the server. See the following quote from Roy T. Fielding's dissertation:
While this approach introduces some advantages, it reduces the scalability of the server:
The stateless constraint
The REST architectural style is defined on the top of a set constraints that include statelessness of the server. According Fielding, the REST stateless constraint is defined as the following:
This constraint induces the properties of visibility, reliability, and scalability:
Authentication and authorization
If the client requests protected resources that require authentication, every request must contain all necessary data to be properly authenticated/authorized. See this quote from the RFC 7235:
And authentication data should belong to the standard HTTP
Authorizationheader. From the RFC 7235:The name of this HTTP header is unfortunate because it carries authentication instead of authorization data.
For authentication, you could use the Basic HTTP Authentication scheme, which transmits credentials as username and password pairs, encoded using Base64:
If you don't want to send the username and password in each request, the username and password could be exchanged for a token (such as JWT) that is sent in each request. JWT can contain the username, an expiration date and any other metadata that may be relevant for your application:
What might be wrong with your server
Once you have a session indentifier, I guess a HTTP session is being created somewhere in your application. It can be in your own code or in the code of the framework you are using.
In Java applications, you must ensure that the following methods are not getting invoked:
HttpServletRequest#getSession()HttpServletRequest#getSession(boolean)withtrue