Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

5
  • 10
    This is the best answer. /login and /logout aren't resources and break the idea of REST. Commented Sep 16, 2016 at 2:07
  • 8
    Authentication != Session Commented Oct 13, 2017 at 0:01
  • 1
    Yes, Fielding's thesis states in section 5.1.3 that "[s]ession state is [...] kept entirely on the client." Further, I would argue that, ideally, authentication should also be stateless on the server side, i.e., rather than storing active "authentication tickets" in a database, the server should be able to verify an authentication credential just based on the credential itself, e.g. by using a self-contained cryptographic token in conjunction with a private key. So, instead of a /session resource one could introduce an /authentication resource, but it doesn't really solve the problem either... Commented Feb 3, 2018 at 2:02
  • 4
    Actually, /login and /logout are nouns. I assume you're thinking of /log_in and /log_out. Commented Sep 3, 2018 at 19:23
  • 2
    "I would go with /session. This make creation and deletion a more natural action." I agree with this, but which HTTP verb should be used to log in (i.e. initiate the session)? GET? POST? PUT? Assuming DELETE would be used to log out. Commented Dec 8, 2021 at 21:44