REST, sessions, authentication


I have been trying to read up on this REST stuff that everyone is
talking about. :slight_smile: It all seems very nice, but I can't seem to handle
user sessions and still have pretty URLs. Perhaps someone here has a

As far as I can see, rails sessions breaks REST since the session the
cookie refers to state located on the server. Another way to handle
sessions would be to make them a resource and then refer to a session
in the URL. Something like:


This is in my opinion not as nice as the same URL with no session id
suffix. My main gripe with session ids in the URL is that the URL isn't
bookmarkable in the same way as a URL without a session id. It might
also be confusing for the end user if he wants to share an URL with a
friend. Come to think of it, it might also be a security hole if a user
decides to share an URL with a friend.

What is this group's take on REST and sessions? I have just recently
started to read about REST so I might have missed something important.
In that case maybe someone here can point me to some right direction.


As far as i know (and admittedly i dont know THAT much) Cookie
information is sent in the header of a browser request alongside with
POST, GET etc ... so i dont see an reason REST should break sessions?
I have to say i didnt rellay work with REST though.

Got any links to read up on this? Never heard about this issue ...

I found this link: in the REST

:.:: mattias

Alan Francis wrote:

Rick's restful_authentication plugin makes uses and sessions into

login => session/create
logout => session/destroy
signup => user/new

Can anyone tell me what a URL would look like using this plugin? How is
the session resource specified when using a controller other than the
session controller?

:.:: brasse