Apigee@apigee

Santanu Dey@Santanu_Dey

Essential API Facade Patterns

Episode 2 – Session Management

groups.google.com/group/api-craft

slideshare.net/apigee

youtube.com/apigee

@Santanu_DeySantanu Dey

Episode 1Composition

Episode 2Session Management

Episode 3One Phase to Two Phase Conversion

Episode 4Synchronous to Asynchronous

Webcast Series: API Facade Patterns

Problem

Solution

Benefits

Considerations

Episode 2 : Session Management

Use Session Management to

enable API teams and app developers to implement and improve their API designs and apps

Problem

Session Management

Managing the state of dynamically created resources (per client) through a series of client-server interactions

Services are best kept stateless

But . . . sometimes stateful services are really needed

Example: shopping cart

Shopping Cart Created Cart updated Order received

Create cartAdd / remove items

Check out Track order

Stateful interaction requires session

Example: room booking

Example: job application

Even OAuth requires a session

Session management helps in maintaining client context (on the server)

State management and session managementare not the same

Session Management is one of the ways of managing client state

In the context of APIs

how to design Session Management?

how to implement Session Management?

Application Servers solve this issue for the Web by managing client sessions

Application servers solved this problem for the Web

Backend ServerApp Server

Users

Browser

Order Processing Server• Server is stateless to be scalable• Not designed to handle client specific

resource state

No stored client context on the transaction serverEach request must contain all

state information

Application servers solved this problem for the Web

Backend ServerApp ServerBrowser

Users

Order Processing Server• Server is stateless to be

scalable• Not designed to handle

client specific resource state

No stored client context on the

transaction server

Each request must contain all

state information

WebApplicationManages user sessions

Application servers solved this problem for the Web

Users

Backend ServerApp ServerBrowser

Order Processing Server• Server is stateless to be

scalable• Not designed to handle

client specific resource state

No stored client context on the

transaction server

Users

Each request must contain all state

information

WebApplicationManages user sessions

Very close to Hypermedia

Interface

Application servers solved this problem for the Web

Backend ServerApp ServerBrowser

But, we need an App!

Solution

Order Processing Server• Server is stateless to be

scalable• Not designed to handle

client specific resource state

No stored client context on the

transaction server

Users

Each request must contain all state

information

WebApplicationManages user sessions

Very close to Hypermedia

Interface

If application servers solved this problem for the Web

Backend ServerApp ServerBrowser

How do we reuse this capability when exposing APIs?

In mobile applications parlance managing client state on the device is expensive

Requires more local processing

Requires more local storage

Requires more date exchange over the network

Managing client state on the back-end server is expensive too.

Stateful interaction with RESTful APIs

App relies on REST

Backend Server

API Façade

Example of the API Façade

Backend Server

API Façade

Existing Capabilities

API Exposure &

Mgmt

App relies on REST

Stateful interaction with RESTful APIs

Totally Stateless Interface

App relies on REST

Backend Server

API Façade

Totally stateless InterfaceProvide HATEOAS

Holds transient state information & provides the hyperlinks for the state transition

Stateful interaction with RESTful APIs

App relies on REST

Backend Server

API Façade

View a product

{   "Product":{      "item-name":"MTune MP3 Player",      "description":"2GB MP3 Player",      "unit-price":"34.56",      "sku":"098430",      "link":{         "@attributes":{            "url":"\/cart\/id\/2235\/addProduct\/sku\/098430?user=123"         }      }   }}

Returns the details of a product along with hypermedia to allow interaction with the product resource.

GET http://yourhost/products/sku/098430?user=123&cart=2235

Adds a Product to an existing shopping cart & returns the cart.

{   "Cart":{      "id":"2235",      "Name":"Christmas Shopper",      "link":{         "@attributes":{            "url":"\/cart\/id\/2235"         }      },      "items":{         "item":{            "item-name":"MTune 2GB MP3 Player",            "description":"MTune, MP3 player",            "unit-price":"34.56",            "quantity":"1"         }      }   }}

Add a product

POST http://yourhost/cart/2235/addProduct/sku/098430?user=123

State of the cart helps represent the shopping session

Benefits

Manages session state as part of state transition of the resource

Backend Server

API Façade

Warning! UML Ahead

API Façade provides access to transient resources through RESTful APIs

App Developer

Doesn’t have to control the state

Doesn’t have to maintain the entire state information

Doesn’t have to resubmit each time

Less programming overhead

App Developers consume REST more easily

The API Façade addresses scalability while managing transient resources

Backend Server

API Façade

Backend Server

API Façade

The API Façade addresses replay attack, session hijacking concerns

Malicious user

Programmable

Can capture analytics around session usage

Other Considerations

When should we really think about Session Management?

If it is too much overhead to send back the entire context data each time

Information associated with Session or “transit resource” should be minimal

Session should be expired within a short time (security concern)

Questions?

THANK YOUSubscribe to API webcasts at:

youtube.com/apigee

Apigee@apigee

THANK YOUQuestions and ideas to:

groups.google.com/group/api-craft

Apigee@apigee

THANK YOUContact me at:

@Santanu_Deysdey@apigee.com

Apigee@apigee