It is *not* using cookies *now* or in the past. :-)
The user authenticates using standard "basic authentication" and obtains a "json web token" (JWT) which contains enough information to identify the user and an expiry. The JWT is signed. Subsequent requests then supply this JWT on a header and the server is thus able to identify the user and can trust that the JWT is legitimate because it can check the signature.
The client side periodically refreshes the JWT that it holds in order to get a new one that has not expired.
This way the application server does not need to hold state about the current users and so there is no need to manage sessions across a load-balanced deployment. The downside is that it is not possible to invalidate a session because there are no sessions at the application server.
On 13/04/15 9:47 pm, Axel Dörfler wrote:
Am 13.04.2015 um 11:31 schrieb Andrew Lindesay:
keep the back-end system entirely stateless. This should allow it to
scale up later on with less complexity.
Not cookies or now cookies? :-)
How can the backend be entirely stateless? You somehow need to track the
valid user tokens, right?