What method should I use for a login (authentication) request?

Question

I would like to know which http method I should use when doing a login request, and why? Since this request creates an object (a user session) on the server, I think it shou

Answer 1

I believe that you can translate LOGIN & LOGOUT methods into basic CRUD operations CREATE & DELETE. Since you are creating a new resource called SESSION and destroying it when logging out:

1. POST /login - creates session
2. DELETE /logout - destroys session

I would never do LOGOUT as GET just because anyone could make an attack just simply by sending an email with IMG tag or link to website where such an IMG tag exists. ()

P.S. Long time I was wondering how would you create a RESTful login/logout and it turned out it's really simple, you do it just like I described: use /session/ endpoint with CREATE and DELETE methods and you are fine. You could also use UPDATE if you want to update session in one way or another...