In a RESTful application, there’s no state maintained between two requests. Each request is treated as a completely new one, even though it would have been sent by the same user. I.e. There’s no session.
In that case, how does the User Login information handled by a REST application?
- Is that, after a successful login, the server generates a security token and sends it to client and the client sends it back for each and every request there after?
- If above is true, where the security token is stored in server? Database? (Remember: No session).
Ehrm. Sending a token to the client which will be sent back on each subsequent request, only to retrieve information associated with that token from the database on the server-side? That’s called a session. It’s exactly what PHP sessions do, apart from storing the information in a file, instead of a database. You’re recreating sessions.
Anyway, I think the “no session, no state” mantra is overrated and not very practical. I think it’s more than okay to store a simple cookie that contains a token so you can identify a user, and associate (some) data with that user. Anyway, I think that not storing application state (e.g. what has the user previously done, and what is he doing now) is the most important.