Reputation: 9305
RESTful token and session
I would like to know what is the best practice on how to work with authorized RESTful server.
Say that after login the server provides me a token, and then for each request I will have to provide it as well. My question is: should I save this token in my server's session? or should I do authentication against the data base for each request?
Upvotes: 0
Views: 108
Answers (2)
Reputation: 692201
There are several ways. You could only keep it in memory, but then if you have multiple servers in a cluster, you'll have to make sure a request for a given token always goes to the same server, or to distribute the token among all the servers.
You could also cryptographically sign the token data, include the data and the signature in the token, and verify the signature at each request. That way you can be certain that the token has been issued by you, and you can be completely stateless.
Note that, if you're using HTTP sessions already, the token is redundant, since the session mechanism already uses a token in a cookie to track sessions.
Upvotes: 4
Reputation: 73578
Use a session cookie to track an authenticated session instead of hitting the database each time.
Upvotes: 3
Related Questions
- REST Token based Authentication not working
- RESTful webservice + Spring token authentication
- Java POST request to get token from web service
- How to use token based authorization on REST?
- Authentication tokens on REST
- How to pass user session to a REST webservice
- Authentication headers in REST API call
- REST HTTP Authentication - How?
- Java REST service using authentication token
- How to authenticate restful web service using oAuth