Implementing logout in a RESTful webservice

Question

I am developing a mobile application which a logout service is required. The login service is done by validating from database, and now I am stuck at logout.

Answer 1

A step back

You didn't provide many details on how the authentication is performed in your application and it's hard to guess what you are doing.

However, it's important to note that, in REST applications, there must not be session state stored on server side. Instead, the session state must the handled entirely by the client.

But what is the problem with sessions on server side? They are stateful and they break the REST stateless constraint (keep reading for more details), hence it's not REST.

The stateless constraint

According to Roy T. Fielding's dissertation, the REST stateless constraint is defined as the following:

5.1.3 Stateless

[...] each request from client to server must contain all of the information necessary to understand the request, and cannot take advantage of any stored context on the server. Session state is therefore kept entirely on the client. [...]

When accessing protected resources that require authentication, for example, every request must contain all necessary data to be properly authenticated/authorized. And authentication data should belong to the standard HTTP Authorization header. From the RFC 7235:

4.2. Authorization

The Authorization header field allows a user agent to authenticate itself with an origin server -- usually, but not necessarily, after receiving a 401 (Unauthorized) response. Its value consists of credentials containing the authentication information of the user agent for the realm of the resource being requested. [...]

Wrapping up

REST is stateless. There's no login or logout in the sense of a session. Every request that targets a resource that requires authentication must carry the authentication data. And the session state is kept in the client side and not in the server.

Answer 2

You will be needing two web services, one for logging in and one for logging out. At the time when the user is logging out of the app, you need to call the log out service.

In detail, you have to manage a flag in the database. That flag will be true when the correct username and password are passed through the login web service. And on the logout service you just need to send the username and update the flag as false. In this way you can also prevent multiple logins if you send the IMEI number of the mobile device to the login service along with the username and password.

Answer 3

Login typically should give back either tokens or cookies(if not REST-full).

On logout, tokens should get expired.

If it's cookies, then 1st you can invalidate the session at server side and delete the cookies at client side.

Coming specifically to your problem, instead of boolean flag, you can generate a new token(unique-random) post login and maintain in new column and expect the same token in consecutive requests. For basic logout, all you have to do is remove this token for that user.