你能帮我理解这个吗?“常见的 REST 错误:会话无关紧要" [英] Can you help me understand this? "Common REST Mistakes: Sessions are irrelevant"
问题描述
免责声明:我是 REST 思想流派的新手,我正在努力解决这个问题.
Disclaimer: I'm new to the REST school of thought, and I'm trying to wrap my mind around it.
所以,我正在阅读这个页面,常见的 REST 错误,我发现我'我完全被有关会话的部分不相关而感到困惑.页面是这样写的:
So, I'm reading this page, Common REST Mistakes, and I've found I'm completely baffled by the section on sessions being irrelevant. This is what the page says:
应该不需要客户端登录"或开始连接".HTTP 认证完成自动在每条消息上.客户应用程序是消费者资源,而不是服务.所以没有什么可以登录的!让我们假设您正在预订航班REST 网络服务.你不创建一个新的会话"连接到服务.而是你问行程创造者对象"为你创造一个新的行程.你可以开始填写空白,然后完全得到一些其他地方的不同组件web 来填补其他一些空白.没有会话所以没有迁移会话状态的问题客户之间.也没有中的会话亲和力"问题服务器(虽然仍有负载平衡问题继续).
There should be no need for a client to "login" or "start a connection." HTTP authentication is done automatically on every message. Client applications are consumers of resources, not services. Therefore there is nothing to log in to! Let's say that you are booking a flight on a REST web service. You don't create a new "session" connection to the service. Rather you ask the "itinerary creator object" to create you a new itinerary. You can start filling in the blanks but then get some totally different component elsewhere on the web to fill in some other blanks. There is no session so there is no problem of migrating session state between clients. There is also no issue of "session affinity" in the server (though there are still load balancing issues to continue).
好的,我知道 HTTP 身份验证是在每条消息上自动完成的 - 但是如何?用户名/密码是否随每个请求一起发送?这不只是增加了攻击面吗?我觉得我错过了拼图的一部分.
Okay, I get that HTTP authentication is done automatically on every message - but how? Is the username/password sent with every request? Doesn't that just increase attack surface area? I feel like I'm missing part of the puzzle.
拥有一个接受 GET 请求的 REST 服务(例如 /session)会不会很糟糕,您可以在其中传递用户名/密码作为请求的一部分,并返回一个如果身份验证成功,会话令牌可以与后续请求一起传递吗?从 REST 的角度来看,这是否有意义,还是没有抓住要点?
Would it be bad to have a REST service, say, /session, that accepts a GET request, where you'd pass in a username/password as part of the request, and returns a session token if the authentication was successful, that could be then passed along with subsequent requests? Does that make sense from a REST point of view, or is that missing the point?
推荐答案
要成为 RESTful,每个 HTTP 请求都应该自己携带足够的信息供其接收者处理它,以与 HTTP 的无状态性质完全一致.
To be RESTful, each HTTP request should carry enough information by itself for its recipient to process it to be in complete harmony with the stateless nature of HTTP.
><块引用>
好的,我得到了 HTTP 身份验证在每条消息上自动完成- 但如何?
Okay, I get that HTTP authentication is done automatically on every message - but how?
是的,每个请求都会发送用户名和密码.执行此操作的常用方法是基本访问身份验证和摘要访问身份验证.是的,窃听者可以捕获用户的凭据.因此,可以使用传输层安全性 (TLS) 对所有发送和接收的数据进行加密.
Yes, the username and password is sent with every request. The common methods to do so are basic access authentication and digest access authentication. And yes, an eavesdropper can capture the user's credentials. One would thus encrypt all data sent and received using Transport Layer Security (TLS).
休息会不会很糟糕服务,比如说,/session,它接受一个GET 请求,您将在其中传递一个用户名/密码作为请求,并返回会话令牌如果认证成功,然后可以通过后续请求?这是否使从 REST 的角度来看,或者是没说到点子上?
Would it be bad to have a REST service, say, /session, that accepts a GET request, where you'd pass in a username/password as part of the request, and returns a session token if the authentication was successful, that could be then passed along with subsequent requests? Does that make sense from a REST point of view, or is that missing the point?
这不是RESTful,因为它携带状态,但它很常见,因为它为用户提供了方便;用户不必每次都登录.
This would not be RESTful since it carries state but it is however quite common since it's a convenience for users; a user does not have to login each time.
您在会话令牌"中描述的内容通常称为登录 cookie.例如,如果您尝试登录 Yahoo!帐户有一个复选框,上面写着让我保持登录状态 2 周".这基本上是说(用你的话)如果我成功登录,让我的会话令牌保持活动状态 2 周."Web 浏览器会在您要求它为您发出的每个 HTTP 请求中发送此类登录 cookie(可能还有其他).
What you describe in a "session token" is commonly referred to as a login cookie. For instance, if you try to login to your Yahoo! account there's a checkbox that says "keep me logged in for 2 weeks". This is essentially saying (in your words) "keep my session token alive for 2 weeks if I login successfully." Web browsers will send such login cookies (and possibly others) with each HTTP request you ask it to make for you.
这篇关于你能帮我理解这个吗?“常见的 REST 错误:会话无关紧要"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
