Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

10
  • 2
    People are not trying to forbid you from using sessions. You are free to do it. But if you do, it is not REST. Commented Dec 19, 2013 at 0:28
  • 8
    @AndréCaldas it is not REST in the same way that having functions or primitive types in a language is not oop. I'm not saying having sessions is advisable. I'm just giving my opinion regarding following a set of practices to an extent they no longer provide someone with benefits. (Btw, notice I didn't oppose your remarks, however, I wouldn't say it's not REST, I'd say it's not pure REST). Commented Dec 22, 2013 at 17:53
  • So what do we call it if it's not RESTful? And surely if a request includes the session Id, then that's as stateless as a request including a user Id? Why are user Id's stateless and session Id's stateful? Commented Dec 24, 2013 at 15:05
  • 1
    Cookies are vulnerable to cross-site request forgery, so they make it easier to have security breaches. Better to use something not automatically sent by the browser like a custom header or a custom Authorization scheme. Commented Jun 16, 2014 at 18:03
  • 1
    In fact, trying to be stateless is not about dogmatism, but about one common conception of SOA itself. Services should always benefit from being uncoupled, and stateless: in practice, it eases scaling, availability and maintainability. Of course, it should be as much as possible, and you would eventually need some "orchestration services" to manage those stateless services into a stateful pragmatic approach. Commented May 12, 2015 at 13:38