I'm designing a REST web API using Django REST Framework and I'm using session-based (for AJAX) and token-based authentication for mobile clients (Android).
But I'm wondering wether the session-based authentication isn't breaking the RESTful architecture constraint of being "stateless"? Because it does add a layer of "state" in the API? But on the other hand, using token-based authentication for AJAX calls doesn't seem like a good idea to me either, because then you should store the token in JavaScript?
http://www.django-rest-framework.org/api-guide/authentication
Kind regards, K.
Thanks for the reference! :-)
From the reference:
"RESTful web services should use session-based authentication, either by establishing a session token via a POST or by using an API key as a POST body argument or as a cookie."
Using the default settings for authentication in Django (login and logout) there is a cookie set "sessionid" when you login. I have my REST API configured with global permision "IsAuthenticated", so I guess the REST API uses the cookie to detemrine the session.
So all of this seems in line with the REST architecture contraints. :-)