Try something like OAuth. This looks like a good overview:
http://wikis.sun.com/display/Jersey/OAuth. You don't have to have a session.
Just incorporate auth info in each request. With a human user interacting
with a webapp, that's just too burdensome, but since it will typically be
machines interacting with an API, authenticating each request isn't a
problem and is very secure.
On Tue, Mar 29, 2011 at 7:31 PM, Arthur Yeo <artyyeo_at_gmail.com> wrote:
> Hi All,
>
> After a user gets authenticated, what do you recommend to handle the
> concept of a session without breaking the RESTful paradigm?
> It seems like all post-login requests to the server needs to include some
> kind of nonce or token to identify the "session" so to speak.
> If that's so, the server needs to understand and store that token to
> validate it for every incoming request.
> Wouldn't that break the RESTful paradigm since the server is now storing
> application state?
>
> --
> Arthur Y.
>