在RESTful API中使用会话真的违反了RESTful吗?我已经看到了许多意见,但我不相信会议是不安宁的。在我看来:
rest不禁止身份验证(否则在RESTful服务中几乎没有用处) 身份验证是通过在请求中发送一个身份验证令牌来完成的,通常是头 这个身份验证令牌需要以某种方式获得,并且可能会被撤销,在这种情况下需要更新 身份验证令牌需要由服务器验证(否则就不是身份验证)
那么会话是如何违背这一点的呢?
客户端,会话是使用cookie实现的 cookie只是一个额外的HTTP报头 会话cookie可以在任何时候获得和撤销 如果需要,会话cookie可以有无限的生存时间 会话id(身份验证令牌)在服务器端得到验证
As such, to the client, a session cookie is exactly the same as any other HTTP header based authentication mechanism, except that it uses the Cookie header instead of the Authorization or some other proprietary header. If there was no session attached to the cookie value server-side, why would that make a difference? The server side implementation does not need to concern the client as long as the server behaves RESTful. As such, cookies by themselves should not make an API RESTless, and sessions are simply cookies to the client.
我的假设错了吗?是什么使会话cookie不安分?