essential api facade patterns: session management (episode 2)
TRANSCRIPT
Apigee@apigee
Santanu Dey@Santanu_Dey
Essential API Facade Patterns
Episode 2 – Session Management
groups.google.com/group/api-craft
slideshare.net/apigee
youtube.com/apigee
@Santanu_DeySantanu Dey
Episode 1Composition
Episode 2Session Management
Episode 3One Phase to Two Phase Conversion
Episode 4Synchronous to Asynchronous
Webcast Series: API Facade Patterns
Problem
Solution
Benefits
Considerations
Episode 2 : Session Management
Use Session Management to
enable API teams and app developers to implement and improve their API designs and apps
Problem
Session Management
Managing the state of dynamically created resources (per client) through a series of client-server interactions
Services are best kept stateless
But . . . sometimes stateful services are really needed
Example: shopping cart
Shopping Cart Created Cart updated Order received
Create cartAdd / remove items
Check out Track order
Stateful interaction requires session
Example: room booking
Example: job application
Even OAuth requires a session
Session management helps in maintaining client context (on the server)
State management and session managementare not the same
Session Management is one of the ways of managing client state
In the context of APIs
how to design Session Management?
how to implement Session Management?
Application Servers solve this issue for the Web by managing client sessions
Application servers solved this problem for the Web
Backend ServerApp Server
Users
Browser
Order Processing Server• Server is stateless to be scalable• Not designed to handle client specific
resource state
No stored client context on the transaction serverEach request must contain all
state information
Application servers solved this problem for the Web
Backend ServerApp ServerBrowser
Users
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Each request must contain all
state information
WebApplicationManages user sessions
Application servers solved this problem for the Web
Users
Backend ServerApp ServerBrowser
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Users
Each request must contain all state
information
WebApplicationManages user sessions
Very close to Hypermedia
Interface
Application servers solved this problem for the Web
Backend ServerApp ServerBrowser
But, we need an App!
Solution
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Users
Each request must contain all state
information
WebApplicationManages user sessions
Very close to Hypermedia
Interface
If application servers solved this problem for the Web
Backend ServerApp ServerBrowser
How do we reuse this capability when exposing APIs?
In mobile applications parlance managing client state on the device is expensive
Requires more local processing
Requires more local storage
Requires more date exchange over the network
Managing client state on the back-end server is expensive too.
Stateful interaction with RESTful APIs
App relies on REST
Backend Server
API Façade
Example of the API Façade
Backend Server
API Façade
Existing Capabilities
API Exposure &
Mgmt
App relies on REST
Stateful interaction with RESTful APIs
Totally Stateless Interface
App relies on REST
Backend Server
API Façade
Totally stateless InterfaceProvide HATEOAS
Holds transient state information & provides the hyperlinks for the state transition
Stateful interaction with RESTful APIs
App relies on REST
Backend Server
API Façade
View a product
{ "Product":{ "item-name":"MTune MP3 Player", "description":"2GB MP3 Player", "unit-price":"34.56", "sku":"098430", "link":{ "@attributes":{ "url":"\/cart\/id\/2235\/addProduct\/sku\/098430?user=123" } } }}
Returns the details of a product along with hypermedia to allow interaction with the product resource.
GET http://yourhost/products/sku/098430?user=123&cart=2235
Adds a Product to an existing shopping cart & returns the cart.
{ "Cart":{ "id":"2235", "Name":"Christmas Shopper", "link":{ "@attributes":{ "url":"\/cart\/id\/2235" } }, "items":{ "item":{ "item-name":"MTune 2GB MP3 Player", "description":"MTune, MP3 player", "unit-price":"34.56", "quantity":"1" } } }}
Add a product
POST http://yourhost/cart/2235/addProduct/sku/098430?user=123
State of the cart helps represent the shopping session
Benefits
Manages session state as part of state transition of the resource
Backend Server
API Façade
Warning! UML Ahead
API Façade provides access to transient resources through RESTful APIs
App Developer
Doesn’t have to control the state
Doesn’t have to maintain the entire state information
Doesn’t have to resubmit each time
Less programming overhead
App Developers consume REST more easily
The API Façade addresses scalability while managing transient resources
Backend Server
API Façade
Backend Server
API Façade
The API Façade addresses replay attack, session hijacking concerns
Malicious user
Programmable
Can capture analytics around session usage
Other Considerations
When should we really think about Session Management?
If it is too much overhead to send back the entire context data each time
Information associated with Session or “transit resource” should be minimal
Session should be expired within a short time (security concern)
Questions?
THANK YOUSubscribe to API webcasts at:
youtube.com/apigee
Apigee@apigee
THANK YOUQuestions and ideas to:
groups.google.com/group/api-craft
Apigee@apigee