{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Fickle 薄情 的问题《Is session used to REST authentication?》','https://www.manongdao.com/q-790645.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
Sorry for the noobish question, this is the first time i try to implement a REST interface (in PHP). Anyway, because the stateless nature of HTTP protocol, what's the best practice in order to ensure that:
GET/ /user/{id}/friends
is always and only executed by the current authenticated user? Is session usually used as a method to restrict REST access?
You can use HTTP sessions, which are nothing more than server-side cookies. They're usually ok, but there has been a lot of reports of session hijacking lately. So my answer if you're really concerned about this is to use HMAC. It's tricky to set up, but once it is you can be sure that the message really did come from an authenticated user.