JS session management - illyfrancis/scribble GitHub Wiki

Authentication with cookie?

Some debates over use of cookie to maintain "auth token". Some argue it isn't truely RESTful and the auth token should be passed in along with the request in header or as part of url.

• http://stackoverflow.com/questions/16329055/javascript-rest-client-and-session-management
• http://stackoverflow.com/questions/6068113/do-sessions-really-violate-restfulness
• http://stackoverflow.com/questions/319530/restful-authentication?lq=1

My opinion is that with cookie it would be more difficult for non-browser REST client to implement as the cookie stuff has to be incorporated. E.g. use httpclient via code...

Scenarios

In the following decision should be made about http return code. 302 vs 401. What is more correct semantically?

Still remaining question

Q1: Should the auth service provide an API to authenticate the user with username/password pair and reply with authentication token? (not in a cookie)

What's the implication with this?

Q2: How to detect session timeout while working in client?

One approach might be to periodically 'ping' the server in the background where the 'period' is less than the session timeout period set on server. from SO

The basic example:

setInterval(function(){
   $.get('/ImStillAlive.action');
}, 840000); // 14 mins * 60 * 1000

With basic check for typing activity:

$(function(){
    var lastUpdate = 0;
    var checkInterval = setInterval(function(){
       if(Date().getTime() - lastUpdate > 840000){
           clearInterval(checkInterval);
       }else{   
            $.get('/ImStillAlive.action');
       }
    }, 840000); // 14 mins * 60 * 1000

    $(document).keydown(function(){
         lastUpdate = new Date().getTime();
    });
});

Some opinion on rest and filter

http://stackoverflow.com/questions/1296421/rest-complex-applications/1297275#1297275