在RESTful API中使用会话真的违反了RESTful吗?我已经看到了许多意见,但我不相信会议是不安宁的。在我看来:
rest不禁止身份验证(否则在RESTful服务中几乎没有用处)
身份验证是通过在请求中发送一个身份验证令牌来完成的,通常是头
这个身份验证令牌需要以某种方式获得,并且可能会被撤销,在这种情况下需要更新
身份验证令牌需要由服务器验证(否则就不是身份验证)
那么会话是如何违背这一点的呢?
客户端,会话是使用cookie实现的
cookie只是一个额外的HTTP报头
会话cookie可以在任何时候获得和撤销
如果需要,会话cookie可以有无限的生存时间
会话id(身份验证令牌)在服务器端得到验证
As such, to the client, a session cookie is exactly the same as any other HTTP header based authentication mechanism, except that it uses the Cookie header instead of the Authorization or some other proprietary header. If there was no session attached to the cookie value server-side, why would that make a difference? The server side implementation does not need to concern the client as long as the server behaves RESTful. As such, cookies by themselves should not make an API RESTless, and sessions are simply cookies to the client.
我的假设错了吗?是什么使会话cookie不安分?
首先,REST不是宗教,不应该被当作宗教来对待。虽然REST式服务有很多优点,但您应该只在应用程序有意义时才遵循REST的原则。
That said, authentication and client side state do not violate REST principles. While REST requires that state transitions be stateless, this is referring to the server itself. At the heart, all of REST is about documents. The idea behind statelessness is that the SERVER is stateless, not the clients. Any client issuing an identical request (same headers, cookies, URI, etc) should be taken to the same place in the application. If the website stored the current location of the user and managed navigation by updating this server side navigation variable, then REST would be violated. Another client with identical request information would be taken to a different location depending on the server-side state.
Google's web services are a fantastic example of a RESTful system. They require an authentication header with the user's authentication key to be passed upon every request. This does violate REST principles slightly, because the server is tracking the state of the authentication key. The state of this key must be maintained and it has some sort of expiration date/time after which it no longer grants access. However, as I mentioned at the top of my post, sacrifices must be made to allow an application to actually work. That said, authentication tokens must be stored in a way that allows all possible clients to continue granting access during their valid times. If one server is managing the state of the authentication key to the point that another load balanced server cannot take over fulfilling requests based on that key, you have started to really violate the principles of REST. Google's services ensure that, at any time, you can take an authentication token you were using on your phone against load balance server A and hit load balance server B from your desktop and still have access to the system and be directed to the same resources if the requests were identical.
归根结底,您需要确保您的身份验证令牌是针对某种类型的备份存储(数据库、缓存等)进行验证的,以确保您尽可能多地保留REST属性。
我希望你能理解。如果你还没有,你也应该看看维基百科文章中关于具象状态转移的约束部分。关于REST的原则实际上在争论什么以及为什么争论,它特别具有启发性。
Cookies are not for authentication. Why reinvent a wheel? HTTP has well-designed authentication mechanisms. If we use cookies, we fall into using HTTP as a transport protocol only, thus we need to create our own signaling system, for example, to tell users that they supplied wrong authentication (using HTTP 401 would be incorrect as we probably wouldn't supply Www-Authenticate to a client, as HTTP specs require :) ). It should also be noted that Set-Cookie is only a recommendation for client. Its contents may be or may not be saved (for example, if cookies are disabled), while Authorization header is sent automatically on every request.
另一点是,要获得授权cookie,您可能需要首先在某个地方提供您的凭据。如果是这样,那不就是不安分吗?简单的例子:
您尝试没有cookie的GET /a
你得到了一个授权请求
然后授权POST /auth
你会得到Set-Cookie
您尝试GET /a与cookie。但是在这种情况下GET /a的行为是幂等的吗?
总而言之,我认为如果我们访问某些资源并且需要进行身份验证,那么我们必须在同一资源上进行身份验证,而不是在其他任何地方。