in normal php web application after login we use session_id that came from web browser to check if user loged in or not.
But in REST API authentication I read some tutorials that say php should send back authentication "token" for android app to save it and give it back to php server for every request.
my question is why should I send back some authentication token instead of session_id? I can send back session_id by android app and do normal session stuff on php server side.
ps. if my question is not clear tell then I explain more.
Best Answer
The purpose of a session id is to maintain "state" of the application across requests. In REST, APIs are designed specifically to resist this kind of state. Each request is considered self-contained against a resource and should be independent of any specific application state. While the session id may be used similarly to an authentication token, its purpose is not similar. An authentication token performs a confirmed authentication/authorization with each request. A session id continues to live on the server across multiple requests which violates rest.