On 04/16/2012 10:04 AM, Miki Kenneth wrote:
I Agree on that, although I'm not sure whether it is really needed to release the session, rather then rely on timeout. If we indeed need to provide a way to release the session then I agree this is the best alternative. But if we don't then it will make the API to the client more (but not very) complex in that manner.
I would go for both - release mechanism (for proper handling) and timeout mechanism for garbage collection. (refer to: http://blog.synopse.info/post/2011/05/24/How-to-implement-RESTful-authentica...)
Agreed we need both. I think that for security purposes, it is important to have a "log out" function. That way, client applications can decide depending on their local security requirements whether or not it is acceptable to leave a session open. Regards, Geert