Schley, No risk of fire here, this is a common workaround for authentication to use cookie. We are even planning a direct support for this in the Restlet Framework, see this RFE:
"Support cookie based authentication" http://restlet.tigris.org/issues/show_bug.cgi?id=605 Best regards, Jerome Louvel -- Restlet ~ Founder and Lead developer ~ http://www.restlet.org Noelios Technologies ~ Co-founder ~ http://www.noelios.com -----Message d'origine----- De : Schley Andrew Kutz [mailto:sak...@gmail.com] Envoyé : lundi 14 septembre 2009 17:06 À : discuss@restlet.tigris.org Objet : REST and Authentication Not to start a fire, but I was curious what people thought about my approach to authentication with my RESTful application. I am currently using a Restlet authenticator (was using a Servlet filter) to authenticate incoming requests. Once authenticated the request and response have a cookie added to their cookie collection. This cookie is also stored in an authentication tokens table the REST application has access to. The benefit of this is that it allows for a "login once" architecture without having to deal with the hazards of BASIC auth (never expiring for example). However, I am pretty sure I am violating the spirit of REST by maintaining a form of state. What do you think? -- -a "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." --Einstein ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=23946 59 ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2402913