Do I need to use SESSION when I write a REST api service?

  1. last year

    Edwin v

    4 Jan 2017 Pre-Release Testers, Xojo Pro The Netherlands

    I am working on a RESTful API service. I never used the Session object for the HandleSpecialURL calls.

    The client app logs in and it gets an access token. With this token the client app can make a variety of calls to the API service. The token is either stored as a header variable or as a value in a JSON package.

    If the token is expired the client app needs to log in again to receive a new token. Each time the client app uses this token, the expiration timestamp of this token is reset. This way the client app doesn't have to re-login again.

    Now my question. Is it necessary to write my data (request) handling code within a session instance?
    I thought it wasn't needed. Since each request has a token. And without a valid token there is no information exchange possible.

    @Edwin vden ;Akker : Generally, REST APIs are stateless, and that seems to be a widely accepted best practice. So every API request should be authenticated.

    If you want to see an example of that, Luna (an open source, Xojo-based framework for creating RESTful APIs) works that way. Clients send an "Authorization" header that includes a token, which is used to authenticate every request. If you're interested, more info about Luna is available here and the source is available on Github .

    Best of luck with your project.

  2. Christian S

    4 Jan 2017 Pre-Release Testers, Xojo Pro Germany

    I would suggest you use your own lightweight session object for the web service.

    One REST function would do the login and create such an object, put it in a dictionary with session ID (e.g. UUID) as key. Return that ID to user.

    Other functions lookup session information with that ID. You may need to check there if session hasn't been used for a long time.

  3. Edwin v

    4 Jan 2017 Pre-Release Testers, Xojo Pro The Netherlands
    Edited last year

    @ChristianSchmitz I would suggest you use your own lightweight session object for the web service.

    One REST function would do the login and create such an object, put it in a dictionary with session ID (e.g. UUID) as key. Return that ID to user.

    Other functions lookup session information with that ID. You may need to check there if session hasn't been used for a long time.

    Sounds clear to me. But with a lightweight session object, you mean a regular class with its own properties and methods? Or an actual session object?

    dim MySession as Session
    MySession.someData = "1234567890"
    SessionStack( UUID ) = MySession

    Where SessionStack is a dictionary,
    someData is a property within the Session object,
    and UUID is a unique ID generated by a UUID function I have laying around...

    Or:

    dim MySession as MySessionClass
    MySession.someData = "1234567890"
    SessionStack( UUID ) = MySession

    Where MySessionClass is a class with some properties and methods

  4. Christian S

    4 Jan 2017 Pre-Release Testers, Xojo Pro Germany

    a new class made by you.

  5. Edwin v

    4 Jan 2017 Pre-Release Testers, Xojo Pro The Netherlands

    @ChristianSchmitz a new class made by you.

    I thought so. Thanks!

  6. Tim D

    4 Jan 2017 Pre-Release Testers, Xojo Pro Answer Richmond, VA

    @Edwin vden ;Akker : Generally, REST APIs are stateless, and that seems to be a widely accepted best practice. So every API request should be authenticated.

    If you want to see an example of that, Luna (an open source, Xojo-based framework for creating RESTful APIs) works that way. Clients send an "Authorization" header that includes a token, which is used to authenticate every request. If you're interested, more info about Luna is available here and the source is available on Github .

    Best of luck with your project.

  7. Edwin v

    9 Jan 2017 Pre-Release Testers, Xojo Pro The Netherlands

    @Tim D Generally, REST APIs are stateless, and that seems to be a widely accepted best practice. So every API request should be authenticated.

    Thanks. In a way that is what I already thought. Like I mentioned in my initial post.
    I have looked at Luna. Looks interesting. I heard about it a while ago in a webinar. I should look into Luna again.

  8. Björn D

    10 Jan 2017 Pre-Release Testers, Xojo Pro Europe

    Hi Edwin,

    today i've played a bit with (RAPID SERVCES) from 1701 Software.

    Really promising for people who want to start creating Restful API. For me a timesaver and easy to implement.

    greetings Björn

  9. Edwin v

    11 Jan 2017 Pre-Release Testers, Xojo Pro The Netherlands

    @BjörnDohle today i've played a bit with (RAPID SERVCES) from 1701 Software.

    Looks cool. They also offer cloud services. I'll look into their REST tools. Thanks!

  10. 2 weeks ago

    Edwin v

    Feb 13 Pre-Release Testers, Xojo Pro The Netherlands

    @Edwin vden ;Akker I should look into Luna again.

    I actually looked at Luna again, a while back. What I love about that project is that it uses Introspection to find the URL endpoints as methods in the App class.
    I tinkered a bit with it. I ended up redoing a lot of code and the endpoint functions reside in their own class now. Also, I added SQLite support, which I use for my user/token administration. The other data I serve reside in a separate database.

    The Luna project has been a huge help and inspiration. Thanks for recommending!

or Sign Up to reply!