CODEWITHSUNDEEP
gwtrestjersey
Santosh
Santosh

Reputation: 1929

Session Management in REST Service applications

After going throught lot of comments from different people about session management for Rest supported applications, here what I have thought of doing.

My application can be accessed from Browser (as a normal web app) and Mobile devices as well. Application was written with the http session management in server at first for browser based app. Now while getting Mobile client, we have implemented Rest web services, with same service layer for mobile device and browser client as well.

When user logs in with mobile device, we are creating a unique auth token, generate a http session and we store the http session with this token ID as key, value map in app. Later on we expect every user request from mobile device to return this token, and using this token get the session from map and continue.

Can somebody review my approach and confirm if it is fine?

Now, I have a second question - We are using JsonPRequestBuilder from GWT to invoke my back end REST services with jersey-guice. How do I send this token in http header during jsonp call from GWT?

Upvotes: 3

Views: 3829

Answers (2)

Thomas Broyer
Thomas Broyer

Reputation: 64561

"Session in REST" is an oxymoron.

When user logs in with mobile device, we are creating a unique auth token

Seems fine, though it looks a bit like you reinvented OAuth.

generate a http session and we store the http session with this token ID as key, value map in app.

Keeping some cache on the server-side for faster access is fine, but don't call it a session, and don't bind it to a specific token (you can bind it to a user if the data is user-specific; the user ID would simply be part of the cache key if it makes sense).

You don't talk about expiration of that cache, or how/when you clean it up and free memory.

Now, I have a second question - We are using JsonPRequestBuilder from GWT to invoke my back end REST services with jersey-guice. How do I send this token in http header during jsonp call from GWT?

As @Arcadien said, JSONP is just about inserting a <script> element in the page, so you only have control of the URL, and thus this is where you should/can pass the authentication token (albeit not being really secure).
May I question the reason you use JSONP from a mobile "native" app? AFAIK there's no SOP issue from UIWebViews or similar, so a RequestBuilder or XMLHttprequest would Just Work™.

Upvotes: 2

Arcadien
Arcadien

Reputation: 2278

For the second : with JSONP, you have to add your token as plain http parameter, you have no access to an object like Request when using regular XMLHttpRequest. So you can't set any kind of headers, everything should go in the query string.

Upvotes: 0

Related Questions