-1

Communication between clients and servers must be stateless. Servers should not store any information about the context of clients between calls.

What about session information that is used to maintain authentication?

How to authenticate an user if we don't store anything on server?

How to invalidate session/token if we don't store anything on server?

Romper
  • 2,009
  • 3
  • 24
  • 43

1 Answers1

0

This can be done using JSON Web Tokens: https://jwt.io/introduction/

First the client authenticates. The server sends him back a token which will be sent in the header of each request. The token contain all the data needed to ensure the user is logged in and its authorizations. As the token is signed you can be sure it has not been tampered on the client.

StephaneM
  • 4,779
  • 1
  • 16
  • 33
  • Ok, but how to invalidate that token? For example if I changed my password on one device, on second device I also will be authenticated? – Romper Apr 06 '17 at 07:00