Rest api's are stateless. But if how login attempt limits are implemented? Further, how to load balance between several server instances when login limits are implemented?
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (3)
Stateless in the context of REST APIs means not storing any data about the clients sessions on the server. Every request should be treated without regard to any previous (or future) requests.
Normally, you would make it the clients responsibility to send any needed state with each request, but in this particular case, that would create a big security hole.
Therefore, you will need to consider this logon attempts limit as resource state and persist it to your back-end data store (database). Once it's there, its shared between your instances, and load balancing problem is basically solved.
(Or go OAuth and let someone else worry about it!)
Thanks for this explanation I didn't understand well the concept of stateless until now :)
The API's are stateless, that doesn't mean they cannot communicate with databases. One simple way is to increment a database count, when an incorrect password is used, and have the API check it.
That also answers your question about load balancing, as they'll check the same database.