[Engine-devel] REST session management
Oved Ourfalli
ovedo at redhat.com
Mon Apr 16 08:44:27 UTC 2012
----- Original Message -----
> From: "Geert Jansen" <gjansen at redhat.com>
> To: "Miki Kenneth" <mkenneth at redhat.com>
> Cc: "Oved Ourfalli" <ovedo at redhat.com>, "engine-devel" <engine-devel at ovirt.org>, "Eoghan Glynn" <eglynn at redhat.com>
> Sent: Monday, April 16, 2012 11:34:26 AM
> Subject: Re: [Engine-devel] REST session management
>
>
> On 04/16/2012 10:04 AM, Miki Kenneth wrote:
>
> >> I Agree on that, although I'm not sure whether it is really needed
> >> to
> >> release the session, rather then rely on timeout.
> >> If we indeed need to provide a way to release the session then I
> >> agree this is the best alternative. But if we don't then it will
> >> make the API to the client more (but not very) complex in that
> >> manner.
> >
> > I would go for both - release mechanism (for proper handling) and
> > timeout mechanism for garbage collection.
> > (refer to:
> > http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authentication)
>
> Agreed we need both. I think that for security purposes, it is
> important
> to have a "log out" function. That way, client applications can
> decide
> depending on their local security requirements whether or not it is
> acceptable to leave a session open.
>
So (unless someone objects) let's go for option #2 (using the Prefer header on each and every request, and release the session once it is not there).
Thank you,
Oved
> Regards,
> Geert
>
More information about the Devel
mailing list