0

I would like to know what is the best practice on how to work with authorized RESTful server.

Say that after login the server provides me a token, and then for each request I will have to provide it as well. My question is: should I save this token in my server's session? or should I do authentication against the data base for each request?

Improve this question

2 Answers 2

Reset to default
4

There are several ways. You could only keep it in memory, but then if you have multiple servers in a cluster, you'll have to make sure a request for a given token always goes to the same server, or to distribute the token among all the servers.

You could also cryptographically sign the token data, include the data and the signature in the token, and verify the signature at each request. That way you can be certain that the token has been issued by you, and you can be completely stateless.

Note that, if you're using HTTP sessions already, the token is redundant, since the session mechanism already uses a token in a cookie to track sessions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I am using HTTP. If I want to add "remember me" option in the client? how should I approach this?
Then the client will have to save the token in a cookie, and send it. And your server will have to accept the token for a long period of time.
3

Use a session cookie to track an authenticated session instead of hitting the database each time.

Improve this answer

1 Comment

And if I want to add "remember me" option in the client? how should I approach this?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.