Statelessness means that every HTTP request happens in complete isolation. When the client makes an HTTP request, it includes all the information necessary for the server to fulfill that request. The server never relies on information from previous requests. If that information was important, the client would have to send it again in subsequent request. Statelessness also brings new features. It’s easier to distribute a stateless application across load-balanced servers. A stateless application is also easy to cache.

实际上有两种状态。客户机上的应用程序状态和服务器上的资源状态。

web服务只需要在实际发出请求时关心应用程序的状态。其他时候，它甚至不知道你的存在。这意味着无论客户端何时发出请求，都必须包含服务器处理请求所需的所有应用程序状态。

每个客户机的资源状态都是相同的，它的适当位置在服务器上。当您将图片上传到服务器时，您创建了一个新资源:新图片有自己的URI，可以作为未来请求的目标。您可以通过HTTP协议获取、修改和删除该资源。

我知道这里的基本问题是混淆了会议和国家。虽然REST指定不应该在服务器上存储状态，但没有什么可以阻止您存储用户会话。

管理服务器上的状态意味着您的服务器确切地知道客户机正在做什么(它们正在应用程序的哪个部分中查看哪个页面)。这是你不需要做的。

我同意其他人的说法，你应该保持会话存储的最小大小;虽然这是常识，但实际上也取决于应用程序。 因此，简而言之，您仍然可以保留一个带有缓存数据的会话，以较小的服务器负载处理请求，并通过提供一个临时身份验证/访问令牌供客户机使用来管理身份验证。每当会话/令牌过期时，生成一个新的会话/令牌，并要求客户端使用它。

有人可能会说，客户端应该更好地生成令牌。我说它是双向工作的，这取决于应用程序，以及谁将使用API。

在服务器上保留一些敏感的会话数据也是正确的做法。例如，您不能相信客户端会保留包含名为“isFreeGift”字段的购物车。这些信息应该保存在服务器上。

Santanu Dey在回答中提供的视频链接很有帮助。如果你还没看过，就看看吧。

只是一个旁注:似乎所有已经给出的答案都忽略了一个事实，即某些操作可能会导致服务器负载过重。这与功耗、硬件消耗和成本(对于按CPU周期租用的服务器)有关。一个优秀的开发人员不应该懒惰地优化他们的应用程序，即使操作可以在一些租用的服务器上的现代CPU上快速完成，而且他们不需要支付电费和维护费用。

虽然这个问题是几年前的事了，但我希望我的回答仍然会有帮助。

在开发RESTful服务时，为了登录，您需要对用户进行身份验证。一种可能的选择是在每次执行用户操作时发送用户名和密码。在这种情况下，服务器将根本不存储会话数据。

Another option is to generate a session-id on the server and send it to the client, so the client will be able to send session-id to the server and authenticate with that. This is much much safer than sending username and password each time, since if somebody gets their hand on that data, then he/she can impersonate the user until the username and password is changed. You may say that even the session id can be stolen and the user will be impersonated in that case and you are right. However, in this case impersonating the user will only be possible while the session id is valid.

如果RESTful API需要用户名和密码才能更改用户名和密码，那么即使有人使用会话id冒充用户，黑客也无法锁定真正的用户。

会话id可以通过单向锁定(加密)某个标识用户的东西并将时间添加到会话id中来生成，这样就可以定义会话的过期时间。

The server may or may not store session ids. Of course, if the server stores the session id, then it would violate the criteria defined in the question. However, it is only important to make sure that the session id can be validated for the given user, which does not necessitate storing the session id. Imagine a way that you have a one-way-encryption of email, user id and some user-specific private data, like favorite color, this would be the first level and somehow adding the username date to the encrypted string and apply a two-way encryption. As a result when a session id is received, the second level could be decrypted to be able to determine which username the user claims to be and whether the session time is right. If this is valid, then the first level of encryption could be validated by doing that encryption again and checking whether it matches the string. You do not need to store session data in order to achieve that.

Stateless means the state of the service doesn’t persist between subsequent requests and response. Each request carries its own user credentials and is individually authenticated. But in stateful each request is known from any prior request. All stateful requests are session-oriented i.e. each request need to know and retain changes made in previous requests. Banking application is an example of stateful application. Where user first login then make transaction and logs out. If after logout user will try to make the transaction, he will not be able to do so. Yes, http protocol is essentially a stateless protocol but to make it stateful we make us of HTTP cookies. So, is SOAP by default. But it can be make stateful likewise, depends upon framework you are using. HTTP is stateless but still we can maintain session in our java application by using different session tracking mechanism. Yes, We can also maintain session in webservice whether it is REST or SOAP. It can be implemented by using any third party library or you can implement by our own.

摘自http://gopaldas.org/webservices/soap/webservice-is-stateful-or-stateless-rest-soap

您完全正确，支持与服务器的完全无状态交互确实给客户机增加了额外的负担。但是，如果考虑扩展应用程序，客户机的计算能力与客户机的数量成正比。因此，扩展到大量的客户是更加可行的。

只要您让服务器负责管理与特定客户端交互相关的一些信息，这个负担就会迅速增长到消耗服务器。

这是一种权衡。

Statelessness means that every HTTP request happens in complete isolation. When the client makes an HTTP request, it includes all the information necessary for the server to fulfill that request. The server never relies on information from previous requests. If that information was important, the client would have to send it again in subsequent request. Statelessness also brings new features. It’s easier to distribute a stateless application across load-balanced servers. A stateless application is also easy to cache.

实际上有两种状态。客户机上的应用程序状态和服务器上的资源状态。

web服务只需要在实际发出请求时关心应用程序的状态。其他时候，它甚至不知道你的存在。这意味着无论客户端何时发出请求，都必须包含服务器处理请求所需的所有应用程序状态。

每个客户机的资源状态都是相同的，它的适当位置在服务器上。当您将图片上传到服务器时，您创建了一个新资源:新图片有自己的URI，可以作为未来请求的目标。您可以通过HTTP协议获取、修改和删除该资源。