Managing the login information in RESTful web app

Question

In a RESTful application, there's no state maintained between two requests. Each request is treated as a completely new one, even though it would have been sent by the same user. I.e. There's no session.

In that case, how does the User Login information handled by a REST application?

1. Is that, after a successful login, the server generates a security token and sends it to client and the client sends it back for each and every request there after?
2. If above is true, where the security token is stored in server? Database? (Remember: No session).

Answer 1

Is that, after a successful login, the server generates a security token and sends it to client and the client sends it back for each and every request there after? If above is true, where the security token is stored in server? Database? (Remember: No session).

Ehrm. Sending a token to the client which will be sent back on each subsequent request, only to retrieve information associated with that token from the database on the server-side? That's called a session. It's exactly what PHP sessions do, apart from storing the information in a file, instead of a database. You're recreating sessions.

Anyway, I think the "no session, no state" mantra is overrated and not very practical. I think it's more than okay to store a simple cookie that contains a token so you can identify a user, and associate (some) data with that user. Anyway, I think that not storing application state (e.g. what has the user previously done, and what is he doing now) is the most important.

Answer 2

Or you can have everything encrypted in token and each request can get all user information including name, timestamp, etc. from that token.

The only thing server would need to know, is the encoding/decoding algorithm.

Even better, the server can call authentication service (that could be totally independent box) to authenticate and authorize user.

Simple is always good !