Confusion over session data being stored in a database being a violation of REST principles

Question

I am writing a report about an application I have designed that includes, what I believe to be, a REST API on the backend.

The way the application authorises users to request resources from the database is by using session cookies. I understand there is a lot of debate about whether or not session cookies server-side violate REST, but I have not found any specific clarification that the way I am using them breaks REST rules.

I am using the node Express framework with the express-session package. The way the cookies are created and stored is through a middleware that saves the session data to my mongodb instance with connect-mongodb-session like so:

app.js

    // app.js imports start
    const mongoose = require("mongoose");
    const session = require("express-session");
    const config = require("config");
    const MongoDBStore = require("connect-mongodb-session")
    // app.js imports end

    const mdbStore = new MongoDBStore({
        uri: config.get("mongoURI"),
        mongooseConnection: mongoose.connection,
        collection: "sessions",
        ttl: config.get("sessionLife") / 1000,
    });

    // Session middleware
    app.use(
        session({
            name: config.get("sessionName"),
            genid: function () {
                return uuid.v4();
            },
            secret: config.get("sessionKey"),
            resave: false,
            saveUninitialized: false,
            cookie: {
                sameSite: true,
                httpOnly: true,
                maxAge: config.get("sessionLife"),
            },
            store: mdbStore,
        })
    );

This means that when a client request comes in, the client's authorisation data will be available via req.session, but that data is coming from my database, not being stored on the server anywhere.

So ultimately this means that my server doesn't store any user data directly, but has a dependency on the state of a session cookie stored in the database. Does this mean the API is not RESTful?

I have read through this SO article and only found a small mention of cookies stored in a database Do sessions really violate RESTfulness? but would still really appreciate any comments/clarifications/criticisms anyone has. Thanks

Answer 1

it is based on the nature of the front end

if you use mobile application deployed in a public store where anyone downloads it and auto register using social ID, then your technology is not good

Usually for a enterprise mobile application, the session Data should be encrypted and sent back and forth in the request response and maintained in the mobile code

if this is simply a web page and the REST also available in the same sever where the HTML is deployed then session can be stored in DB

If the REST is separated in another computer and you invoke it from the front end server side code via internal ip/host address which is not exposed to public, then your logic is not good

front end server side code - means you can have a dedicated server which responsible for react js execution which does not contains the database access code - only AJAX service it will have which is obviously REST, there can be another server which will again receive another REST call which will talk to another computer where MySQL or Oracle is installed

means 1 web server 1 app server and 1 database server - like real world enterprise applications

if your DB is not configured in the same computer then storing session in DB is not a good idea, create a cache DB server like redis or couchbase in the first computer and store the session there, leave the business DB alone separated from your UI logic and needs