JS session management
Some debates over use of cookie to maintain "auth token". Some argue it isn't truely RESTful and the auth token should be passed in along with the request in header or as part of url.
- http://stackoverflow.com/questions/16329055/javascript-rest-client-and-session-management
- http://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness
- http://stackoverflow.com/questions/319530/restful-authentication?lq=1
My opinion is that with cookie it would be more difficult for non-browser REST client to implement as the cookie stuff has to be incorporated. E.g. use httpclient via code...
In the following decision should be made about http return code. 302 vs 401. What is more correct semantically?
Q1: Should the auth service provide an API to authenticate the user with username/password pair and reply with authentication token? (not in a cookie)
What's the implication with this?
Q2: How to detect session timeout while working in client?
One approach might be to periodically 'ping' the server in the background where the 'period' is less than the session timeout period set on server. from SO
The basic example:
setInterval(function(){
$.get('/ImStillAlive.action');
}, 840000); // 14 mins * 60 * 1000
With basic check for typing activity:
$(function(){
var lastUpdate = 0;
var checkInterval = setInterval(function(){
if(Date().getTime() - lastUpdate > 840000){
clearInterval(checkInterval);
}else{
$.get('/ImStillAlive.action');
}
}, 840000); // 14 mins * 60 * 1000
$(document).keydown(function(){
lastUpdate = new Date().getTime();
});
});
http://stackoverflow.com/questions/1296421/rest-complex-applications/1297275#1297275