1

I use DelphiMVCFrameWork 3.2.1 for building the RESTful server for my mobile app.

For getting data I always use the basic auth. and I send the username and password everytime (for example):

procedure TDM.getGroupsFromServer;
var
 Http: TIdHTTP;
 ReqStr:string;
begin
 try
  Http := TIdHTTP.Create(nil);
  Http.ReadTimeout := 10000;
  Http.Request.ContentType := 'application/json';
  Http.Request.CharSet := 'utf-8';
  HTTP.Request.Accept:= '*/*';
  Http.Request.BasicAuthentication:= true;//<---------
  Http.Request.Username := DM.username;//<---------
  Http.Request.Password := DM.password;//<---------
  ReqStr:=Http.Get('http://'+SERVER_IP+':8080/api/groups');
  groupsJSON:=ReqStr;      
  dsGroups.LoadFromJSONArrayString(ReqStr);
  dsGroups.First;
 finally
  Http.Free;
 end;
end;

Is there any login method and after that I do my requests and finally I call logout to terminate the connection?

  • User login: by sending username & password
  • User do CRUD operations (without sending user & pwd every call)
  • User logout / connection timeout is occurred

Thanks in advance

mjn
  • 36,362
  • 28
  • 176
  • 378
user2005049
  • 510
  • 1
  • 5
  • 26
  • 2
    I don't understand your question. Whole point of REST is that it is stateless, asking how to make it stateful is in contradiction with REST architecture. If you are using basic authentication you need to send username and password every time. You can find more information about various authentication methods at https://blog.restcase.com/restful-api-authentication-basics/ – Dalija Prasnikar Feb 21 '21 at 08:12
  • What you need is called a session. From the documentation, it seems that DelphiMVCFrameWork supports sessions. – Olivier Feb 21 '21 at 08:54
  • @DalijaPrasnikar You know that the word "REST" is often misused. We're just talking about web services here. – Olivier Feb 21 '21 at 09:00
  • 1
    @Olivier I don't think I ever encountered that kind of misuse. Of course, such misuse is possible. If terminology is really misused here, then question should be rephrased to state web service, not REST, because REST has very specific definition and this kind of question would be closed as unclear in more frequent language tags. – Dalija Prasnikar Feb 21 '21 at 09:15

1 Answers1

1

If you don't want to sent usercode/password with each request, which is legitimate, then you must send a cookie. That cookie (time limited) is generated by server code and stored somewhere (database or in memory), would be returned by the first request having usercode/password.

For later requests, the client send the cookie along with request data. The server has to check for the cookie and grant access if cookie is valid.

Of course the cookie must be unique for usercode and probably for the originating IP so that all requests can be associated with a given client on a given computer so that a check is made to verify the client has the required access for that specific request.

Depending on the framework capabilities (DelphiMVCFrameWork in your case), the cookie could be either an actual HTTP cookie, or simply a data field. That is not important as long as the cookie is transported from client to server for validation.

fpiette
  • 11,983
  • 1
  • 24
  • 46