[Info-vax] Restful API w/JSON client package or library on OpenVMS
Arne Vajhøj
arne at vajhoej.dk
Thu Mar 14 22:27:05 EDT 2024
On 3/14/2024 9:31 PM, Lawrence D'Oliveiro wrote:
> On Thu, 14 Mar 2024 20:29:21 -0400, Arne Vajhøj wrote:
>> A RESTful service is stateless so it cannot keep a
>> session server side.
>
> Who says it can’t?
Fielding.
<quote>
5.1.3 Stateless
We next add a constraint to the client-server interaction: communication
must be stateless in nature, as in the client-stateless-server (CSS)
style of Section 3.4.3 (Figure 5-3), such that each request from client
to server must contain all of the information necessary to understand
the request, and cannot take advantage of any stored context on the
server. Session state is therefore kept entirely on the client.
</quote>
>> Frequently the authorizing service
>> is different from the authorized service for modern web
>> services. Session cookies are not an option in that context.
>
> If a REST client is not a web browser, it doesn’t have to abide by web
> browser security restrictions.
The client can do anything it wants to.
But using browser cookie HTTP headers for implementing
a different semantics than browsers do is the worst possible
design. Standards are good. Hacks are bad. Hacks that pretend
to look like standards are the worst.
Arne
More information about the Info-vax
mailing list