Re: [Engine-devel] REST session management

From: "Geert Jansen" <gjansen(a)redhat.com&gt; To: "Miki Kenneth" <mkenneth(a)redhat.com&gt; Cc: "Oved Ourfalli" <ovedo(a)redhat.com&gt;, "engine-devel" <engine-devel(a)ovirt.org&gt;, "Eoghan Glynn" <eglynn(a)redhat.com&gt; Sent: Monday, April 16, 2012 11:34:26 AM Subject: Re: [Engine-devel] REST session management On 04/16/2012 10:04 AM, Miki Kenneth wrote: >> I Agree on that, although I'm not sure whether it is really needed >> to >> release the session, rather then rely on timeout. >> If we indeed need to provide a way to release the session then I >> agree this is the best alternative. But if we don't then it will >> make the API to the client more (but not very) complex in that >> manner. > > I would go for both - release mechanism (for proper handling) and > timeout mechanism for garbage collection. > (refer to: > http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authent...) Agreed we need both. I think that for security purposes, it is important to have a "log out" function. That way, client applications can decide depending on their local security requirements whether or not it is acceptable to leave a session open.

Regards, Geert