1

From my point of view, session violates RESTfulness either when it is stored in the memory or db.

In case of session stored in the memory, it is hard to scale up the server using like load-balancing since servers don't share the session data.

Likewise in case of session stored in database, the database will be over-loaded when many servers simultaneously make queries.

My issue is related with the second case.

For a long time, I had thought that the server and database are different.

My past-assumption)

When client make request to the server with specific data, then server stores that data in the database like mysql or mongo etc.

So server don't have to care about the client's state since database has all control over them.

Server can stand alone against the client's request since server can make query to the database whenever wants to know who the client is.

So my two questions are that,

  1. Whenever mentioning that "RESTful server stand alone against the client's request", is that 'server' includes database?
  2. If yes, and if there is a User model and a Post-model associated with one-to-many relation, isn't that also violates RESTfulness?

I am sure that the second question makes no sense, since if the second question's answer is true, then RESTapi would have never been that useful.

But I cannot understand the difference between session in the database violates RESTfulness and the User-Post does not violate Restfulness.

I think that both of them are following the same procedure, client-server-database.

How can I understand this issue easily?

koo
  • 4,013
  • 6
  • 15
  • 31

2 Answers2

2

What's generally meant with statelessness is, summed up that : all the information to execute the HTTP request is self-contained within the request.

Some implications are that:

  • I can disconnect the TCP socket and re-open it, or I can keep a TCP connection open and it makes no difference. All the information to execute the request is contained within the request.
  • In the case of idempotent methods, I can re-do the exact same request and end up with the same state as if I only did it once.

In other words,

There are more complete descriptions of statelessness and HTTP, but the important thing is that statelessness here does NOT mean that the server cannot have any state at all. Most REST services are probably useless if there is no state.

Now to the question of whether having a session violates REST principals. I think it's hard to objectively state this either way. The important parts in relation to your question is that to be RESTful you need a concept of resources, a concept of being able to address them and a concept of transferring state between client and server. (there are more things that make up a REST service, but here are a few relevant bits).

I don't think having a means of authentication prevents this, whether authentication is done via an Authorization header or a Cookie header is not really that relevant.

If the session cookies and associated session data starts interfering with this process in other ways, it might be possible for a session-related feature to violate REST principals, but I don't think this is generally true.

If there are 'many articles' saying that sessions violate REST, I don't think there is any real basis for this. There is a lot of garbage descriptions of REST going around. I do think it might be bad for other reasons to use cookies for authentication. It does create potential for security issues.

Evert
  • 93,428
  • 18
  • 118
  • 189
  • revised //@Evert Appreciate for your answer. But I'd like to re-ask if it is okay. Does the "server" includes database also? As you've said, "HTTP request is self-contained" is really confused. It can be the token like jwt which is containing all of the information regards to the client. but how about the request which has the information that states "I need the post data related to the user with which id is 1." The server will fetch that posts from database, and give them to the user. How does this sound? Is it violating REST? – koo Apr 09 '19 at 05:18
  • @koo: Yes it is perfectly fine to store state in a database. A HTTP client doesn't know *what you used* to store state and it doesn't matter. – Evert Apr 09 '19 at 05:21
  • omg.. so if the server stores the client's session in the database such as mysql, not in the memory, it does not violates stateless! – koo Apr 09 '19 at 05:23
  • same reason as fetching posts from the database, right? – koo Apr 09 '19 at 05:24
  • @koo, No.. from a HTTP client and server perspective you can't even tell whether something was stored in memory or in a database. It's an unimportant detail – Evert Apr 09 '19 at 05:24
  • really thanks for your answer, I ll take this answer. By the way, why many people saying that session violates REST even they do not know where the session is held? https://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness – koo Apr 09 '19 at 05:26
  • Even if you store everything on a piece of paper and you use a scanner to read from it again it can still be valid HTTP or RESTful – Evert Apr 09 '19 at 05:26
  • @koo: 2 reasons.. It's possible to do bad things with sessions that make it either insecure or DO violate RESTfulness. But if you just use it instead of an Authorization header it doesn't violate REST – Evert Apr 09 '19 at 05:28
  • It's still _better_ to use an Authorization header. – Evert Apr 09 '19 at 05:28
  • It helped. I ll take some more research. appreciate it. – koo Apr 09 '19 at 05:29
-1

Restful server is separate from the database. Restful server, if there is such a thing, is just a web server. REST is just an architecture, say a methodology, that delivers information from server to client and vice versa over HTTP.

Alex M
  • 141
  • 2
  • 6
  • so you mean that session does not violate RESTfulness? even no matter it is stored in the database? many articles say thtat using session itself violates REST – koo Apr 09 '19 at 03:33
  • Sessions are outside the scope of REST. And so what if they do, and so what if they don't. What problem does that cause to your application? – Alex M Apr 09 '19 at 03:41
  • thanks for your comment. why down vote? but actually I cannot fully understand what you mean. why people saying that using session violates RESTapi? – koo Apr 09 '19 at 03:42
  • Can you please answer my question more in detail? – koo Apr 09 '19 at 04:49