在 REST 应用程序中维护会话的方法 [英] Way to maintain a session in a REST application
问题描述
我们有一个 REST 应用程序,主要由不需要维护其状态的应用程序使用,因此到目前为止,我们一直保持安静的RESTFUL"而不维护状态.我们使用私有/公共(类似于亚马逊)进行身份验证.目前客户端为每个请求传递凭据
We have a REST application that is utilized mostly by applications that dont need to maintain their state, so till date we have been quiet "RESTFUL" without maintaining a state. We use the Private/Public (similar to Amazon) for authentication.Currently the client passes the credentials for every request
现在我们有一个新的需求,我们必须维护状态(或对话).客户端可以是富应用程序或手持设备.我正在尝试提出实现状态的最佳方法.我们应该传递会话 ID 并保持该 ID ..这是最好也是唯一的解决方案吗?
Now we have a new requirement where we have to maintain the state (or conversation).The client can be a Rich application or a hand held device .I am trying to comeup with the best way to implement the state .Should we pass on a session Id and maintain that ID ..is that the best and the only solution ?
推荐答案
传递会话 ID 不是保持对话状态的唯一方法,也不是最好的方法.如果您有 RIA,最好的方法是维护客户端本身的状态,正如一些评论所建议的那样.这意味着仍会在每个请求中发送凭据.
Passing on a session ID is not the only way and not the best way to maintain conversational state. The best way, if you have a RIA is to maintain the state on the client itself, where it belongs, as some of the comments suggest. This means still sending the credentials every request.
对每个请求重新进行身份验证是唯一的方法,如果您觉得服务器的性能受到影响,服务器可以(按照建议)缓存身份验证请求的结果一段的时间.摘要式身份验证 可以通过对网络上的令牌进行加密签名来帮助避免缓存响应.
Re-authentication on every request is the only way, and if you feel that there's a performance hit on the server, the server can (as suggested) cache the result of an authentication request for a period of time. Digest authentication could help avoid caching responses by cryptograpically signing the tokens going over the wire.
如果这还不够好,您可以使用类似于 Google ClientLogin,并为客户端提供一个加密令牌,无需请求授权即可验证该令牌,并且无需通过网络传递用户的真实凭据.谷歌自己通过 https 登录,然后通过 http 使用生成的令牌.在令牌的生命周期内,它对重放攻击是开放的.
If that's not good enough you could use something akin to Google ClientLogin, and giving the client an encrypted token that can be verified without needing to ask an authorization, and without passing the user's real credentials over the wire. Google themselves this by doing the login over https, and then using the generated tokens over http. It's open for replay attacks for the lifetime of the token.
这篇关于在 REST 应用程序中维护会话的方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
