+1 Jacopo
On Sat, Sep 26, 2020 at 6:35 AM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: > Hi > > I am using userLogin service to authenticate users before generating auth > tokens for REST API and GraphQL calls. However, I figured that a session is > also getting created and returned in response which is defeating the > purpose of having an API in place. Even though that session is not getting > used anywhere when subsequent calls are made using the token, I still think > it is an extra session lying around in tomcat's session cache. > > I propose to implement a new basic userLogin service (basicAuthUserLogin) > that would just do username/password matching and be done with it without > ever calling request.getSession(). This will ensure that APIs are stateless > and no session is generated. > > Anything else you think should be part of the new service instead of just > username/password validation? > > Best, > Girish > HotWax Systems >
