Timeline for REST API Token-based Authentication
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 8, 2017 at 7:16 | comment | added | JustAMartin | If you cache the token on the server, then isn't it essentially the same as the good old session id? Session id is short-lived and it is also attached to fast cache storage (if you implement it) to avoid hitting your DB on every request. True RESTful & stateless design should not have sessions, but if you are using a token as an ID and then still hitting the DB, then wouldn't it better just use session ID instead? Alternatively, you can go for JSON web tokens that contain encrypted or signed information for entire session data for true stateless design. | |
| Apr 10, 2014 at 17:28 | history | edited | cmc | CC BY-SA 3.0 | Heartbleed warning |
| Mar 26, 2012 at 18:01 | vote | accept | cantlin | ||
| Mar 26, 2012 at 18:00 | comment | added | cantlin | Thanks cmc, all good points and great food for thought. I've ended up taking a token/HMAC approach similar to the one you discussed above, rather like the S3 REST API authentication mechanism. | |
| Mar 19, 2012 at 17:34 | history | edited | cmc | CC BY-SA 3.0 | added 449 characters in body |
| Mar 19, 2012 at 17:28 | history | edited | cmc | CC BY-SA 3.0 | added 449 characters in body |
| Mar 19, 2012 at 17:09 | history | answered | cmc | CC BY-SA 3.0 |