DEV Community

Rumesh Madhusanka
Rumesh Madhusanka

Posted on

How to implement login limits if rest apis are stateless?

Rest api's are stateless. But if how login attempt limits are implemented? Further, how to load balance between several server instances when login limits are implemented?

Top comments (3)

Collapse
 
nickholmesde profile image
Nick Holmes

Stateless in the context of REST APIs means not storing any data about the clients sessions on the server. Every request should be treated without regard to any previous (or future) requests.

Normally, you would make it the clients responsibility to send any needed state with each request, but in this particular case, that would create a big security hole.

Therefore, you will need to consider this logon attempts limit as resource state and persist it to your back-end data store (database). Once it's there, its shared between your instances, and load balancing problem is basically solved.

(Or go OAuth and let someone else worry about it!)

Collapse
 
loki profile image
Loki Le DEV

Thanks for this explanation I didn't understand well the concept of stateless until now :)

Collapse
 
devdrake0 profile image
Si

The API's are stateless, that doesn't mean they cannot communicate with databases. One simple way is to increment a database count, when an incorrect password is used, and have the API check it.

That also answers your question about load balancing, as they'll check the same database.