How do I handle authentication for a REST service?

Asked Mar 28 '13 at 10:21

Active Mar 28 '13 at 10:21

Viewed 102 times

When I am writing a web service that needs authentication, I usually have to choose between two options:

I can have a dedicated authentication call that creates a session. All subsequent calls are authenticated over a cookie. This is exactly how you would do authentication in a classic web site. This is not hard to write, but is not stateless.
I can send authentication information (such as credentials, a token, whatever) on each single request. This way it's stateless, but there is more overhead.

Are there suggested best practices which way you should go? Why?

asked Mar 28 '13 at 10:21

Golo Roden

possible duplicate of [Best Practices for securing a REST API / web service](http://stackoverflow.com/questions/7551/best-practices-for-securing-a-rest-api-web-service) – Pedro Werneck Jun 04 '14 at 04:56

0 Answers0