2

A REST client usually send an authentication parameter every time which acts like PHP Session Id cookie in browser in a way. But REST client is no browser so I though in my server side code why not I take that authentication parameter and use 

session_id($_GET('authentication_code'));

Is it good way of doing it ??

Mr Coder
  • 8,169
  • 5
  • 45
  • 74
  • I think you should at least, verify and handle the content –  Jan 03 '12 at 10:47
  • 4
    Using PHP sessions in any way does not conform to the "Stateless" [constraint](http://en.wikipedia.org/wiki/Representational_state_transfer#Constraints) of REST, so I would say that the short answer to this is "No". – DaveRandom Jan 03 '12 at 10:48
  • Look up what "idempotent" means. REST services should be described using that word. – duffymo Jan 03 '12 at 10:50
  • @DaveRandom How about using it just for logging (authentication) purpose and not storing anything inside $_SESSION except identity of the user ? – Mr Coder Jan 03 '12 at 10:55
  • 2
    @beginner Storing *anything* session related server side is a direct contradiction of REST. There is not necessarily anything wrong with PHP sessions for your API - as long as you fully understand the implications of doing so - but it wont be a true REST API if you do. – DaveRandom Jan 03 '12 at 11:00

2 Answers2

5

REST stands for Representation State Transfer and in it's purest form boils down to 6 constraints, one of which is that the client-server communication must be stateless, it must contain all the information needed to complete the request, no client state must be stored on the server.

The server CAN be stateful however, which is why you can store a client's auth code on the server, but it is up to the client itself to pass that code with each request, the server cannot use sessions to store the authentication code.

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Stuart Grimshaw
  • 1,541
  • 1
  • 18
  • 41
0

The answer is no. The S REST is for stateless which means you cannot store anything on the server.

Tom van der Woerdt
  • 29,532
  • 7
  • 72
  • 105
  • 20
    REST stands for Representational State Transfer, so the S stands for State, not Stateless, so the answer is No, but not for the reason you say. – Stuart Grimshaw Jan 04 '12 at 11:33
  • @StuartGrimshaw True, but you transfer the state every time, so while the S doesn't literally mean `stateless` it does represent it. You are, of course, very much correct. – Tom van der Woerdt Jan 04 '12 at 11:35
  • @TomvanderWoerdt S for `stateless` is very misleading. I imagine junior devs, having read this answer, spreading this "little nonsense" at meetups or interviews. I understand your idea, but don't do it this way please ;) – ducin Dec 27 '16 at 10:09