Session mangement

Client Sessions

Restify is designed to provide REST services. These are stateless by design, but usually there's some compromise for security. At some level the server wants to know who or what is accessing the server to restrict access to information, and at the same time not have to re-authenticate the request every time.

In this demo, all the CRUD services are truly stateless. Info goes in, info comes out, but the server has no memory of who or what made the request.

For the login page, I added a session using Client Sessions. Seems to work pretty well, encrypts data that the client passes back. The server uses the decrypted information to verify the session and look up the user. This has the added advantage of making requests across multiple servers and avoiding having to set sticky sessions on the load balancer.

Return Home