essential api facade patterns: session management (episode 2)
TRANSCRIPT
![Page 1: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/1.jpg)
Apigee@apigee
Santanu Dey@Santanu_Dey
Essential API Facade Patterns
Episode 2 – Session Management
![Page 2: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/2.jpg)
groups.google.com/group/api-craft
![Page 3: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/3.jpg)
slideshare.net/apigee
![Page 4: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/4.jpg)
youtube.com/apigee
![Page 5: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/5.jpg)
@Santanu_DeySantanu Dey
![Page 6: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/6.jpg)
Episode 1Composition
Episode 2Session Management
Episode 3One Phase to Two Phase Conversion
Episode 4Synchronous to Asynchronous
Webcast Series: API Facade Patterns
![Page 7: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/7.jpg)
Problem
Solution
Benefits
Considerations
Episode 2 : Session Management
![Page 8: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/8.jpg)
Use Session Management to
enable API teams and app developers to implement and improve their API designs and apps
Problem
![Page 9: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/9.jpg)
Session Management
Managing the state of dynamically created resources (per client) through a series of client-server interactions
![Page 10: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/10.jpg)
Services are best kept stateless
![Page 11: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/11.jpg)
But . . . sometimes stateful services are really needed
![Page 12: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/12.jpg)
Example: shopping cart
![Page 13: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/13.jpg)
Shopping Cart Created Cart updated Order received
Create cartAdd / remove items
Check out Track order
Stateful interaction requires session
![Page 14: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/14.jpg)
Example: room booking
![Page 15: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/15.jpg)
Example: job application
![Page 16: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/16.jpg)
Even OAuth requires a session
![Page 17: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/17.jpg)
Session management helps in maintaining client context (on the server)
![Page 18: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/18.jpg)
State management and session managementare not the same
![Page 19: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/19.jpg)
Session Management is one of the ways of managing client state
![Page 20: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/20.jpg)
In the context of APIs
how to design Session Management?
how to implement Session Management?
![Page 21: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/21.jpg)
Application Servers solve this issue for the Web by managing client sessions
![Page 22: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/22.jpg)
Application servers solved this problem for the Web
Backend ServerApp Server
Users
Browser
![Page 23: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/23.jpg)
Order Processing Server• Server is stateless to be scalable• Not designed to handle client specific
resource state
No stored client context on the transaction serverEach request must contain all
state information
Application servers solved this problem for the Web
Backend ServerApp ServerBrowser
Users
![Page 24: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/24.jpg)
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Each request must contain all
state information
WebApplicationManages user sessions
Application servers solved this problem for the Web
Users
Backend ServerApp ServerBrowser
![Page 25: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/25.jpg)
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Users
Each request must contain all state
information
WebApplicationManages user sessions
Very close to Hypermedia
Interface
Application servers solved this problem for the Web
Backend ServerApp ServerBrowser
![Page 26: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/26.jpg)
But, we need an App!
![Page 27: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/27.jpg)
Solution
![Page 28: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/28.jpg)
Order Processing Server• Server is stateless to be
scalable• Not designed to handle
client specific resource state
No stored client context on the
transaction server
Users
Each request must contain all state
information
WebApplicationManages user sessions
Very close to Hypermedia
Interface
If application servers solved this problem for the Web
Backend ServerApp ServerBrowser
How do we reuse this capability when exposing APIs?
![Page 29: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/29.jpg)
In mobile applications parlance managing client state on the device is expensive
Requires more local processing
Requires more local storage
Requires more date exchange over the network
![Page 30: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/30.jpg)
Managing client state on the back-end server is expensive too.
![Page 31: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/31.jpg)
Stateful interaction with RESTful APIs
App relies on REST
Backend Server
API Façade
![Page 32: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/32.jpg)
Example of the API Façade
Backend Server
API Façade
Existing Capabilities
API Exposure &
Mgmt
App relies on REST
![Page 33: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/33.jpg)
Stateful interaction with RESTful APIs
Totally Stateless Interface
App relies on REST
Backend Server
API Façade
![Page 34: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/34.jpg)
Totally stateless InterfaceProvide HATEOAS
Holds transient state information & provides the hyperlinks for the state transition
Stateful interaction with RESTful APIs
App relies on REST
Backend Server
API Façade
![Page 35: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/35.jpg)
View a product
{ "Product":{ "item-name":"MTune MP3 Player", "description":"2GB MP3 Player", "unit-price":"34.56", "sku":"098430", "link":{ "@attributes":{ "url":"\/cart\/id\/2235\/addProduct\/sku\/098430?user=123" } } }}
Returns the details of a product along with hypermedia to allow interaction with the product resource.
GET http://yourhost/products/sku/098430?user=123&cart=2235
![Page 36: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/36.jpg)
Adds a Product to an existing shopping cart & returns the cart.
{ "Cart":{ "id":"2235", "Name":"Christmas Shopper", "link":{ "@attributes":{ "url":"\/cart\/id\/2235" } }, "items":{ "item":{ "item-name":"MTune 2GB MP3 Player", "description":"MTune, MP3 player", "unit-price":"34.56", "quantity":"1" } } }}
Add a product
POST http://yourhost/cart/2235/addProduct/sku/098430?user=123
![Page 37: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/37.jpg)
State of the cart helps represent the shopping session
![Page 38: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/38.jpg)
Benefits
![Page 39: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/39.jpg)
Manages session state as part of state transition of the resource
Backend Server
API Façade
![Page 40: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/40.jpg)
Warning! UML Ahead
![Page 41: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/41.jpg)
![Page 42: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/42.jpg)
API Façade provides access to transient resources through RESTful APIs
![Page 43: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/43.jpg)
App Developer
Doesn’t have to control the state
Doesn’t have to maintain the entire state information
Doesn’t have to resubmit each time
Less programming overhead
App Developers consume REST more easily
![Page 44: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/44.jpg)
The API Façade addresses scalability while managing transient resources
Backend Server
API Façade
![Page 45: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/45.jpg)
Backend Server
API Façade
The API Façade addresses replay attack, session hijacking concerns
Malicious user
![Page 46: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/46.jpg)
Programmable
![Page 47: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/47.jpg)
Can capture analytics around session usage
![Page 48: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/48.jpg)
Other Considerations
![Page 49: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/49.jpg)
When should we really think about Session Management?
![Page 50: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/50.jpg)
If it is too much overhead to send back the entire context data each time
![Page 51: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/51.jpg)
Information associated with Session or “transit resource” should be minimal
![Page 52: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/52.jpg)
Session should be expired within a short time (security concern)
![Page 53: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/53.jpg)
Questions?
![Page 54: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/54.jpg)
THANK YOUSubscribe to API webcasts at:
youtube.com/apigee
Apigee@apigee
![Page 55: Essential API Facade Patterns: Session Management (Episode 2)](https://reader038.vdocuments.us/reader038/viewer/2022103000/554f5f24b4c905bb178b45d6/html5/thumbnails/55.jpg)
THANK YOUQuestions and ideas to:
groups.google.com/group/api-craft
Apigee@apigee