API design concepts of session #69

shelling opened this Issue Jan 4, 2013 · 0 comments


None yet

1 participant

shelling commented Jan 4, 2013

In the chapter "Cross Domain Sessions", the session API was designed as

POST /session - Login - Sets the session username and returns a csrf token for the user to use
DELETE /session - Logout - Destroys the session and regenerates a new csrf token if the user wants to re-login
GET /session - Checks Auth - Simply returns if auth is true or false, if true then also returns some session details

However, The express application declares

app.del('/session/:id', function(req, res, next) { ... })

where :id is the session.id which has been passed in cookies

Actually, the browser should have one and only one session in this site. So, the :id in this API is not necessary.

IMHO, to prevent the conflict, It's better to declare SessionModel with the attribute { url: "/session" } rather than { urlRoot: "/session" }, so that the express application can declare

app.del('/session', function(req, res, next) { ... } )

As the design document mentioned above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment