But, saying that a whole application should be stateless is complete nonsense.
As a result, Session and Cookies should be avoided (as both of them are stateful). A better approach is to use Tokens
ButA few things: Tokens can be tied to session storage too. Cookies don't need to be tied to session storage. Tokens are often stored in cookies. And, sayingsometimes a session is simply the right tool for the job.
That means that at least sometimes, sessions and cookies are just as "better" as tokens!
[Tokens] are stateless because nothing is stored on the server.
Well, that's it. That's what the "statelessness" dogma is really about. Though, to be clear, it's not about storing "nothing" on the server, it's about not storing session state on the server.
My Gmail inbox is in a wholestate, for example. And it damn well applicationbetter should be stored on the server! But, it's not session state.
So, instead of having a servers that can take a small identifier and figure out who you are and so forth, stateless applications want to be reminded who you are and what you're doing with every bloody request. The application state still exists, the client is complete nonsensejust responsible for holding onto it.
Now, if that state is small, that's probably OK. In some cases it's very good.
And then, of course, there are things we simply expect to be stateful ...
how can web applications be stateless when there is data that is being kept for my session (such as items in a shopping cart)? Are these actually being stored in a database somewhere and then periodically being purged?
Two options. Either you have a session, or you're in denial!
... But seriously. You wouldn't normally store a cart in a cookie. Something like a shopping cart will either be stored in a "traditional" session, or it'll be stored as a Cart object, with some kind of ID that the server uses to pull it into subsequent requests. Kind of like a .. uhh ... ... err ... session.
For real seriously: There's a large degree to which "statefulness" is just what we call it when two communicating agents can contextualize messages in a conversation. And a session, traditionally understood, is just what we typically call the mechanism by which this occurs.
I'd argue that, regardless of whether you use tokens or "sessions," for each request your server handles, you either need to contextualize that request to fulfill it, or you don't. If the context isn't necessary, don't fetch it. If the context is necessary, you better have it nearby!
And then as a related question, are the major websites (Amazon, Google, Facebook, Twitter, etc.) actually stateless? Do they use tokens or cookies (or both)?
GenerallyProbably both. But, generally speaking, they do exactly what you do: They set cookies to identify "state" records in massive "session" databases.
When possible, I suspect they shove basic identity claims into short-lived "tokens" to avoid unnecessary contention on centralized storage. But, the fact that many of these services permit me to "log out of all other locations" is a good indicator that, if they're using tokens at all, they're at least "supported" by a semi-traditional session model.