How do I create a new HttpSession in a RESTful webapp?

Question

I have a need to create a HttpSession (via cookie) whenever a client invokes a particular UI.

Assumptions:

• Let's assuming that I'm not going to worry about any deep oAuth-like authentication dance. JESSIONSID cookie impersonation is not an issue for now.
• The server is tomcat, thus a JSESSIONID cookie is sent down to the client if a new session is created.

Design issues:

1. I'm grappling with how to design the URI. What is actually the REST resource ? I already have /users and /users/{someuserid}. I wanted to use /auth/login but in one previous SO question, one cited article says that we should not have verbs in the url. I've noticed that even Google makes the same mistake by having https://www.google.com/accounts/OAuthGetRequestToken. So in your opinion, are /auth/login/johndoe (login) and /auth/logout/johndoe (logout) good options ?

UPDATE:

I've changed my design. I'm now thinking of using the URIs /session/johndoe (PUT for login, DELETE for logout). It should still be within the limits of the REST ethos ?

Answer 1

I am in the midst of creating a REST endpoint that recognizes sessions. I've standardized on:

• POST /sessions => returns Location: http://server/api/sessions/1qazwsxcvdf
• DELETE /sessions/1qazwsxcvdf => invalidates session

It is working well.

Answer 2

Aren't sessions irrelevant in REST Style Architecture?

http://www.prescod.net/rest/mistakes/