Do I need to use SESSION when I write a REST api service?

I am working on a RESTful API service. I never used the Session object for the HandleSpecialURL calls.

The client app logs in and it gets an access token. With this token the client app can make a variety of calls to the API service. The token is either stored as a header variable or as a value in a JSON package.

If the token is expired the client app needs to log in again to receive a new token. Each time the client app uses this token, the expiration timestamp of this token is reset. This way the client app doesn’t have to re-login again.

Now my question. Is it necessary to write my data (request) handling code within a session instance?
I thought it wasn’t needed. Since each request has a token. And without a valid token there is no information exchange possible.

I would suggest you use your own lightweight session object for the web service.

One REST function would do the login and create such an object, put it in a dictionary with session ID (e.g. UUID) as key. Return that ID to user.

Other functions lookup session information with that ID. You may need to check there if session hasn’t been used for a long time.

[quote=307302:@Christian Schmitz]I would suggest you use your own lightweight session object for the web service.

One REST function would do the login and create such an object, put it in a dictionary with session ID (e.g. UUID) as key. Return that ID to user.

Other functions lookup session information with that ID. You may need to check there if session hasn’t been used for a long time.[/quote]

Sounds clear to me. But with a lightweight session object, you mean a regular class with its own properties and methods? Or an actual session object?

dim MySession as Session
MySession.someData = "1234567890"
SessionStack( UUID ) = MySession

Where SessionStack is a dictionary,
someData is a property within the Session object,
and UUID is a unique ID generated by a UUID function I have laying around…

Or:

dim MySession as MySessionClass
MySession.someData = "1234567890"
SessionStack( UUID ) = MySession

Where MySessionClass is a class with some properties and methods

a new class made by you.

I thought so. Thanks!

@Edwin van den Akker : Generally, REST APIs are stateless, and that seems to be a widely accepted best practice. So every API request should be authenticated.

If you want to see an example of that, Luna (an open source, Xojo-based framework for creating RESTful APIs) works that way. Clients send an “Authorization” header that includes a token, which is used to authenticate every request. If you’re interested, more info about Luna is available here and the source is available on Github.

Best of luck with your project.

Thanks. In a way that is what I already thought. Like I mentioned in my initial post.
I have looked at Luna. Looks interesting. I heard about it a while ago in a webinar. I should look into Luna again.

Hi Edwin,

today i’ve played a bit with (RAPID SERVCES) from 1701 Software.

Really promising for people who want to start creating Restful API. For me a timesaver and easy to implement.

greetings Björn

Looks cool. They also offer cloud services. I’ll look into their REST tools. Thanks!

I actually looked at Luna again, a while back. What I love about that project is that it uses Introspection to find the URL endpoints as methods in the App class.
I tinkered a bit with it. I ended up redoing a lot of code and the endpoint functions reside in their own class now. Also, I added SQLite support, which I use for my user/token administration. The other data I serve reside in a separate database.

The Luna project has been a huge help and inspiration. Thanks for recommending!