On Thu, Jan 28, 2010 at 11:02, Vidar Ramdal <[email protected]> wrote: > Two questions immediately comes to mind when considering user sessions: > 1. Is it really RESTful?
Unfortunately experience has shown that you don't get proper, flexible and modern authentication mechanisms to work together with a "full restful" authentication. The latter is only achieved by HTTP basic auth in practice, but this has a few drawbacks: - needs encrypted transport, eg. SSL, as credentials are sent with every request - umlauts not properly supported across all browsers (big no go if people have secure passwords with umlauts and other special characters) Kerberos, OpenID, etc., which are secure and/or flexible, state-of-the-art on the web, require a session to be kept with the request. Note that the session should be as small as possible, eg. basically only some ID, to reduce the problems associated with them. > 2. How do we handle sessions in clustered environment? Sticky sessions is probably the best answer, which is handled by the proxy/dispatcher. A cluster might not be fast enough (replication done in XX ms, since requests for css or image resources are typically sent very quickly after the original page) and HTTP session clustering in app servers does not scale. Regards, Alex -- Alexander Klimetschek [email protected]
