TheManish
Reputation: 303
Alternative solution for session in RESTful API
Scenario:
I am developing an API for a booking system, where user (without registration) gets a quote (with price) for a service, then later uses that quote to place a booking with additional information.
Question
How do I verify a quote generated by a request (eg, QT001) won't be used by anyone else request. For example, anyone can randomly guess a quote id and request a booking for that. How do I verfiy the second request, that will be for booking, is from the same user who sent the request for quote.
Sorry if the context isn't clear enough, since I'm new to the RESTful API world.
Upvotes: 0
Views: 461
Answers (1)
fullstackdev
Reputation: 535
If you are OK with cookies, then:
- When a quote is created, the server should set a cookie with a key like "Quote" and the quote id as the value (e.g. QT001)
- When a booking is requested, the server gets the cookie value for Quote and compares it with the quote id for which the user is requesting a booking
- If someone is just guessing the quote id, then there will not be a match
Upvotes: 1
Related Questions
- How to make use of session in REST API
- Storing authentication tokens in a RESTful API without using HTTP sessions
- Proper Session Management with REST API
- RESTful Web application- Session data management
- How to replace session with stateless rest apis?
- RESTful API Design best practice for request metadata (session id etc)?
- Sessions in REST services
- Way to maintain a session in a REST application
- RESTful interface to things which have inherent "sessions"
- REST - complex applications