REST and authentication variants

Question

I am currently working on a REST library for .net, and I would like to hear some opinions about an open point I have: REST and authentication.

Here is an example of

Answer 1

I agree with workmad3, if session life time needs to be maintained you should create a session resource. Post on that resource with user credentials (either basic authentication or credentials in the body content) will return unique session id. Delete on /session/{id} will log out the user.

If you want to control the session expiry time. When creating new session (post on session resource) the server will set a cookie on the response (using standard set-cookie header). The cookie will contain expiry time. The cookie string should be encrypted on the server, so only the server can open that cookie. Every consequent request to the server will send the session cookie in the cookie header. (it will be done automatically for you if your client is a browser). The server needs to "renew" the cookie for every request, i.e. create new cookie with new expiry time (extend session's timeout). Remember to clear the cookie when the user calls delete on the session resource.

If you want your application to be more secured you can store the client IP in the cookie itself, so when a request arrives the server can validate that it was sent from the "original" client. But remember that this solution can be problematic when proxies are involved, because the server might "see" all the requests as coming from the same client.