Monday, November 25, 2013

I've seen this advice...
ideally the web should follow the REST principle and be completely stateless. Therefore a single URL should identify a single resource, without having to keep the navigation history of each user.
...and I read the Wikipedia page http://en.wikipedia.org/wiki/REST and it really sounds good, but I don't get how to actually implement it. I'm working in ASP .NET Webforms NOT MVC.
For example, in the application I am about to build - I need my user to Login before I allow them to do anything. There are a couple of hoops they have to jump through before they are allowed to do much useful - like Accept T's and C's and confirm their basic details are unchanged. Finally they are allowed to do somthing they really want like BuyAProduct!
It seems to me (I come from the HEAVILY stateful world of the Rich client) that I need state to record what they have done and infer from that what they are allowed to do. I don't see how I can support them (say) bookmarking the BuyAProduct URI. When they arrive at the bookmark how do I know if they have logged in and if they agreed to the T's and C's and if they dutifully checked their basic details?
I love the idea of the app being stateless, partly because it seems to completely solve the problem of "What the heck do I do when the user clicks on the Back and Forward buttons?" I don't see how I can still get it to work properly. I feel I am missing somthing really fundamental about this.
share|improve this question
 
Why? If it is currently working, why change? Web applications tend to need to be stateful, hence Sessions and Cookies. –  John Gietzen Jun 10 '10 at 16:34
 
Ah - it's not working as it's not built yet. I am thinking about design options. I will edit the question. – RichardHowells Jun 10 '10 at 16:35
2 
@John I can assure that Web applications do not need to use sessions and cookies. –  Darrel Miller Jun 10 '10 at 23:39
 
@Darrel Miller: What if you want to allow users to log-in to the app? –  John Gietzen Jun 11 '10 at 0:46
2 
@John The http Authorization header allows you to provide credentials with a request that can ensure the person doing the request is who they say they are and has sufficient authorization to make the request. What does being "logged on" do that cannot be achieved with the Authorization header? –  Darrel Miller Jun 11 '10 at 1:06
show 1 more comment

5 Answers

up vote12down voteaccepted
The advice isn't suggesting that the app should be stateless - it's suggesting that the resources in the app should be stateless. That is, a page called "www.mysite.com/resources/123" will always represent the same resource, regardless of which user is accessing it or whether they're logged in or not.
(The fact that you might deny a non-logged-in user access is a separate issue - the point is that the Uri itself doesn't rely on user-specific data to work.)
For example, the kind of sites that break this rule are those where you navigate to a product page, email the Uri to your friend, and on clicking it they see a message along the lines of "I'm sorry, your session has expired" or "This product does not exist" or similar. The reason this happens is because the Uri includes something specific to the user's session on the site, and if a different user tries to use the link (or the same user at a later time), it's no longer valid.
So, you will always still need some form of state for your application, but where that state is implemented is the important factor.
Hope that helps shed a little light!
share|improve this answer
 
It would be helpful to note that in some cases, resources are user-specific, so only authorized users would see certain resources and not others. Thus, user-specific interactions are available. –  user29439 Jun 11 '10 at 6:58
 
Yes - but the Uri to that resource should remain the same for all users, whether they have access or not. (If this were a REST application, for example, you'd have the Uri return a Http Not Authorised state where relevant, instead of the resource). –  Dan Puzey Jun 13 '10 at 13:35
add comment
If you want to do Web forms, that's cool. If you want to do REST that's cool too. But please for the love of everything sacred, please don't attempt to adhere to the principles of REST using Web Forms.
Just to clarify this point further, I don't believe webforms is a wise choice for REST because the conceptual model that WebForms is based on is one where you abstract away the web. It was built to emulate the VB development model.
REST embraces HTTP and the distributed nature of web applications. The two approaches are not compatible.
share|improve this answer
2 
+1 this is like oil and water –  Alex James Jun 11 '10 at 0:31
 
No, I think you're wrong, in that the basic principle he's talking about can equally (and *should) be applied to WebForms too: don't put state information in your Uri. –  Dan Puzey Jun 11 '10 at 9:02
 
@Dan I think what you meant to say is don't put a reference to server session state in the url. Putting client application state in the URL is a completely restful approach. Regardless, whether the session state is in the URL or is communicated in some other way, like a cookie, session state leads to violation of the REST self-descriptive constraint. –  Darrel Miller Jun 11 '10 at 12:48
 
Application state in a Uri is completely contrary to the principles of REST: if your Uri to a resource is different to my Uri to a resource, that's not a RESTful Uri. –  Dan Puzey Jun 13 '10 at 13:34
1 
@Darrel I think what Dan is alluding to is this the Richardson Maturity Model:code.google.com/p/implementing-rest/wiki/RMM. Yes, you can do that, and yes, you can call it RESTful. But how RESTful is it, really? –  user29439 Jun 14 '10 at 22:51
show 6 more comments
A cookie would seem to be the answer to your question. You can use the the .net authentication provider which will set a cookie, that your application can check for and require the presence for if they're to buy anything.
The thing you want to try and avoid is keeping a state representation of them on the server, aka session cookie. That will make scaling more difficult.
share|improve this answer
add comment
Here's the thing: REST is about stateful communications over a stateless protocol. It's not that REST is stateless. WebForms enables you to retain state between requests. Why is that necessary? It let's you do things like sort items on a list with up/down buttons without having to update the underlying resource with each click. You don't need that. You could just PUT the resource representation so that it looks correct or use JavaScript to edit your representation and then do a PUT at the end once you are satisfied. (Note that I used PUT, not POST. What you are really doing is replacing the representation so that future GETs retrieve the right state.)
WebForms uses POST for everything. You should only POST to a URL when you are creating a new item and don't know where it will live. If you know its url, then you should use PUT to create or replace. If you need intermediary steps for, say, a shopping cart, then you should create resource representations for those intermediary steps. Your browser and server communicate by passing full representations between each other. It's simple request/response message passing.
WebForms doesn't encourage this. You can build RESTful systems in WebForms, but the default model will push you away from it towards a RPC approach. I can think of two ways around this: Front Controller(in which case you should really consider MVC) or using .ashx files for almost everything. The Postback model pretty well obliterates any real hope of doing true REST with real WebForms/.aspx (i.e. PUT and DELETE are always POSTs and thus fail the REST model).
share|improve this answer
 
As per RFC2616 POST can be used to send an entity to a processing resource. This does not imply creating of a resource. Creating is only one of the uses of POST. There is no requirement to use PUT and DELETE to be RESTful. See this FAQ code.google.com/p/implementing-rest/wiki/FAQ –  Darrel Miller Jun 11 '10 at 12:59
 
@Darrel Fair enough. I probably lean too far towards being explicit. The problem I see is that it makes it too easy to explain everything away, which leads back to RPC. –  user29439 Jun 14 '10 at 22:49
 
@Darrel What I'm focused on is Level 3 of the Richardson Maturity Model: code.google.com/p/implementing-rest/wiki/RMM. Well, maybe level 2. :) –  user29439 Jun 14 '10 at 22:52
 
Yes, using POST for lots of things can easily lead back to RPC if people don't have clear understanding of the other REST constraints. –  Darrel Miller Jun 14 '10 at 23:01
add comment