On 04/16/2012 11:44 AM, Oved Ourfalli wrote:
----- Original Message -----
From: "Geert Jansen"<gjansen@redhat.com> To: "Miki Kenneth"<mkenneth@redhat.com> Cc: "Oved Ourfalli"<ovedo@redhat.com>, "engine-devel"<engine-devel@ovirt.org>, "Eoghan Glynn"<eglynn@redhat.com> Sent: Monday, April 16, 2012 11:34:26 AM Subject: Re: [Engine-devel] REST session management
On 04/16/2012 10:04 AM, Miki Kenneth wrote:
I Agree on that, although I'm not sure whether it is really needed to release the session, rather then rely on timeout. If we indeed need to provide a way to release the session then I agree this is the best alternative. But if we don't then it will make the API to the client more (but not very) complex in that manner.
I would go for both - release mechanism (for proper handling) and timeout mechanism for garbage collection. (refer to: http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authentica...) Agreed we need both. I think that for security purposes, it is important to have a "log out" function. That way, client applications can decide depending on their local security requirements whether or not it is acceptable to leave a session open.
So (unless someone objects) let's go for option #2 (using the Prefer header on each and every request, and release the session once it is not there).
My only objection is that you implement a draft spec and implement a header without even bothering to register it - or asking if there is such an identical-purposed header with a different name which may get registered / is already in use somewhere. Y.
Thank you, Oved
Regards, Geert
_______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel