Click here to close now.

Welcome!

Microservices Journal Authors: Carmen Gonzalez, Liz McMillan, Roger Strukhoff, Elizabeth White, Baruch Sadogursky

Related Topics: Microservices Journal, Java, .NET, Web 2.0, Cloud Expo, Apache

Microservices Journal: Article

Toss Your Cookies: Maintaining State on the Client with REST

Feel free to transfer application state to the client and rest assured you’re following REST.

REST quiz of the day: which is more important when following REST: updating the resource state or updating state on the client? Most developers are likely to say that REST focuses on updating resource state on the server. After all, POST, PUT, and DELETE all do so. GET is the only HTTP verb that fetches resource state without changing it.

If you've been reading ZapThink's discussion on REST, you probably realize that those developers are incorrect. Updating resource state is clearly an important part of REST, but updating state on the client is even more important. Why? Because client state is the foundation for distributed hypermedia applications. And after all, such applications are the point of REST.

In fact, the RESTful world distinguishes between resource state and application state, which is the state information the client maintains. And since hypermedia are the engine of application state, it makes sense that application state is more important to REST than resource state. After all, REST is representational state transfer. The representations are what the resources send to the clients, including application state information that belongs on the client.

HATEOAS and the Cloud
The topic of application state came up in an interesting discussion during our recent Cloud Computing for Architects course in San Diego. I was explaining how it's important to maintain a stateless application tier in the Cloud, because we want to put the components on that tier (Web servers, application servers, ESBs, etc.) onto virtual machine (VM) instances. In order to achieve the elasticity and resilience of the Cloud, then, we can't afford to maintain state information on such instances. We always have the option of persisting such state information, making it a part of the resource state, but relying too heavily on our resource state limits our scalability. The clear alternative is to transfer state information to the client, and let hypermedia be the engine of application state (otherwise known as the dreaded HATEOAS REST constraint).

One of the attendees in the class was confused by this discussion. He pointed out that if we use the client (say, a browser) to maintain state in a stateful application like an eCommerce shopping cart, then such state information must either go into hidden form fields or into the URL, so that the server can pass it along to the browser from one request to the next. But if the user is clicking a link rather than submitting a form, then they are executing a GET, and with a GET, the only place to put state information from the client to the server is in the URL. And we all know that URLs have a maximum length. What do we do, he asked, if we have too much state information for the URL? For example, we might have dozens of items in our cart. Was I suggesting passing the entire contents of each cart - product descriptions, prices, etc. - in the URL?

The answer, of course, is no. I say "of course" because such a question would be silly for anyone who truly understands REST. But I must admit, it took me a while to think through my response. The problem was that I have a background as a Web developer, and my student may have also built his share of Web sites back in the day as well. And back in the 1990s, before REST, in the early days of HTML and JavaScript, maintaining state in a browser was problematic. All we had were cookies and the aforementioned hidden form fields and URL query strings. And since people can turn their cookies off, we never wanted to rely on them. So yes, back in the day, if the user is clicking a link (i.e., performing a GET), the URL was all you had to work with.

With REST, however, we're working with an abstracted client. It need not be a browser, and in fact, it need not have a user interface at all. A RESTful client may serve as an intermediary, for example. Even when the client has a UI, it could be any type of application. For example, most mobile apps are written natively to the mobile environment (iPhone or Android, for the most part), and will continue to be at least until HTML5 is fully baked.

Even when the client is a browser, however, we have numerous ways of maintaining application state. Each approach, as you might expect, has its strengths and weaknesses:

  • Cookies - long a part of the HTTP protocol, cookies are universally supported and almost as universally reviled. We love them for enabling the "remember me" feature on Web sites with logins we visit frequently, and we hate them for enabling advertisers to track our browsing habits. Few app developers would rely on them for much else.
  • Hidden form fields - every Web developer's secret sauce. You can put whatever you want into such fields, and as long as the user submits the corresponding form, the contents of hidden fields go along for the ride. The problem is that hidden form fields only work with POST. In REST, POST is only for initializing a subsidiary resource, so if that's not what you're doing, then you don't want to POST. The other downside to hidden form fields is that application state information must always make a round trip to the server and back again, whether the server needs to do anything with it or not.
  • Frames - Frames made their debut in 1996 in Netscape Navigator 2.0, the same browser that introduced JavaScript to the world. Iframes came soon after. Both types of frames allowed new pages in the frame while maintaining state information in JavaScript variables in the enclosing page. In either case, however, updating the content of a frame doesn't change the URL in the browser's location field. As a result, reloading or following a bookmarked page takes you back to square one, deleting all state information.
  • JavaScript-only updates - More recent advances to the Document Object Model (DOM), in particular the innerHTML property, allow JavaScript to update any <div> element after the page is loaded. And since JavaScript can also perform all manner of RESTful calls, it's possible to make it appear that any or all of a page is changing, even though the page itself isn't actually reloading. As with frames, JavaScript variables can store state information, but also similar to frames, the URL the user sees doesn't change when your script interacts with the server.
  • Signed scripts - What about simply writing arbitrary content to the user's hard drive? Browser publishers have been monkeying with this capability since signed scripts debuted in the 1990s. The problem with giving the browser write privileges, of course, is security. One flaw and hackers can easily take over your computer. Needless to say, this capability never took off, although plugins like Adobe Flash can allow the ability to write to the users' hard drive.
  • DOM storage - Today we have DOM storage. Think cookies on steroids. Every modern browser can essentially store a JSON object that persists as the browser loads different pages. You have the option of maintaining such information for a browser session (you lose it when you quit the browser) or persisting it across browser sessions (where the browser writes the data to a file). This capability also enables developers to write browser apps that can function properly when the user is offline. The downside to DOM storage is that it only works in newer browsers - although Firefox, Internet Explorer, Chrome, and Safari all support it.
  • URL query string - finally, let's discuss storing state information in the URL. Yes, there's a character limit - the HTTP spec recommends sticking to 255 characters or less, although most browsers and Web servers support much longer URLs. So, how much can you cram into 255 characters? More than you might expect, if you use a tool like RISON for compacting JSON to squeeze more of it into each URL. Don't like RISON? There are alternatives available or you can create your own approach. Even with such techniques, however, there is still a size limit, and all such information must make the round trip to server and back.

The ZapThink Take
Based on the discussion above, you should have no more concerns about storing application state on the client. There are always tradeoffs, but one of the scenarios above should handle virtually every application state issue you're likely to come up with. Feel free to transfer application state to the client and rest assured you're following REST.

That is, of course, if you really are following REST, which means that you're building a hypermedia application. And while POST, PUT, and DELETE update resource state for hypermedia applications, every representation from resource back to client updates client state. Even a GET, which never changes resource state, still changes the application state. In other words, clicking a link or submitting a form loads a new page. Of course REST behaves that way.

While this article focused more on maintaining state on the client, therefore, REST is more concerned with updating state on the client. The real point here is that we have the luxury of choosing to maintain the state information we require while running an application whose state is supposed to change. Either way, hypermedia are the engine of application state.

Image source: bloggyboulga

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete at launch. DevOps may be disruptive, but it is essential. The DevOps Summit at Cloud Expo – to be held June 3-5, 2015, at the Javits Center in New York City – will expand the DevOps community, enable a wide...
Enterprises are fast realizing the importance of integrating SaaS/Cloud applications, API and on-premises data and processes, to unleash hidden value. This webinar explores how managers can use a Microservice-centric approach to aggressively tackle the unexpected new integration challenges posed by proliferation of cloud, mobile, social and big data projects. Industry analyst and SOA expert Jason Bloomberg will strip away the hype from microservices, and clearly identify their advantages and d...
Cloud Expo, Inc. has announced today that Andi Mann returns to DevOps Summit 2015 as Conference Chair. The 4th International DevOps Summit will take place on June 9-11, 2015, at the Javits Center in New York City. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited to help the great team at ...
There is no question that the cloud is where businesses want to host data. Until recently hypervisor virtualization was the most widely used method in cloud computing. Recently virtual containers have been gaining in popularity, and for good reason. In the debate between virtual machines and containers, the latter have been seen as the new kid on the block – and like other emerging technology have had some initial shortcomings. However, the container space has evolved drastically since coming on...
Container frameworks, such as Docker, provide a variety of benefits, including density of deployment across infrastructure, convenience for application developers to push updates with low operational hand-holding, and a fairly well-defined deployment workflow that can be orchestrated. Container frameworks also enable a DevOps approach to application development by cleanly separating concerns between operations and development teams. But running multi-container, multi-server apps with containers ...
Converging digital disruptions is creating a major sea change - Cisco calls this the Internet of Everything (IoE). IoE is the network connection of People, Process, Data and Things, fueled by Cloud, Mobile, Social, Analytics and Security, and it represents a $19Trillion value-at-stake over the next 10 years. In her keynote at @ThingsExpo, Manjula Talreja, VP of Cisco Consulting Services, will discuss IoE and the enormous opportunities it provides to public and private firms alike. She will shar...
With major technology companies and startups seriously embracing IoT strategies, now is the perfect time to attend @ThingsExpo in Silicon Valley. Learn what is going on, contribute to the discussions, and ensure that your enterprise is as "IoT-Ready" as it can be! Internet of @ThingsExpo, taking place Nov 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 17th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading in...
SYS-CON Events announced today that EnterpriseDB (EDB), the leading worldwide provider of enterprise-class Postgres products and database compatibility solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. EDB is the largest provider of Postgres software and services that provides enterprise-class performance and scalability and the open source freedom to divert budget from more costly traditiona...
How can you compare one technology or tool to its competitors? Usually, there is no objective comparison available. So how do you know which is better? Eclipse or IntelliJ IDEA? Java EE or Spring? C# or Java? All you can usually find is a holy war and biased comparisons on vendor sites. But luckily, sometimes, you can find a fair comparison. How does this come to be? By having it co-authored by the stakeholders. The binary repository comparison matrix is one of those rare resources. It is edite...
With the advent of micro-services, the application design paradigm has undergone a major shift. The days of developing monolithic applications are over. We are bringing in the principles (read SOA) hereto the preserve of applications or system integration space into the application development world. Since the micro-services are consumed within the application, the need of ESB is not there. There is no message transformation or mediations required. But service discovery and load balancing of ...
The integration between the 2 solutions is handled by a module provided by XebiaLabs that will ensure the containers are correctly defined in the XL Deloy repository based on the information managed by Puppet. It uses the REST API offered by the XL Deploy server: so the security permissions are checked as a operator could do it using the GUI or the CLI. This article shows you how use the xebialabs/xldeploy Puppet module. The Production environment is based on 2 tomcats instances (tomcat1 &...
Do you think development teams really update those BMC Remedy tickets with all the changes contained in a release? They don't. Most of them just "check the box" and move on. They rose a Risk Level that won't raise questions from the Change Control managers and they work around the checks and balances. The alternative is to stop and wait for a department that still thinks releases are rare events. When a release happens every day there's just not enough time for people to attend CAB meeting...
T-Mobile has been transforming the wireless industry with its “Uncarrier” initiatives. Today as T-Mobile’s IT organization works to transform itself in a like manner, technical foundations built over the last couple of years are now key to their drive for more Agile delivery practices. In his session at DevOps Summit, Martin Krienke, Sr Development Manager at T-Mobile, will discuss where they started their Continuous Delivery journey, where they are today, and where they are going in an effort ...
SYS-CON Events announced today that the "First Containers & Microservices Conference" will take place June 9-11, 2015, at the Javits Center in New York City. The “Second Containers & Microservices Conference” will take place November 3-5, 2015, at Santa Clara Convention Center, Santa Clara, CA. Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities.
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize sup...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud en...
I’ve been thinking a bit about microservices (μServices) recently. My immediate reaction is to think: “Isn’t this just yet another new term for the same stuff, Web Services->SOA->APIs->Microservices?” Followed shortly by the thought, “well yes it is, but there are some important differences/distinguishing factors.” Microservices is an evolutionary paradigm born out of the need for simplicity (i.e., get away from the ESB) and alignment with agile (think DevOps) and scalable (think Containerizati...
In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, president of Intellyx, panelists Roberto Medrano, Executive Vice President at Akana; Lori MacVittie, IoT_Microservices Power PanelEvangelist for F5 Networks; and Troy Topnik, ActiveState’s Technical Product Manager; will peel away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of ...
There is no doubt that Big Data is here and getting bigger every day. Building a Big Data infrastructure today is no easy task. There are an enormous number of choices for database engines and technologies. To make things even more challenging, requirements are getting more sophisticated, and the standard paradigm of supporting historical analytics queries is often just one facet of what is needed. As Big Data growth continues, organizations are demanding real-time access to data, allowing immed...
I’m not going to explain the basics of microservices, as that’s that’s handled elsewhere. The pattern of using APIs, initially built to cross application boundaries within a single enterprise or organization, is now being leveraged within a single application architecture to deliver functionality. Microservices adoption is being driven by two forces: the need for agility and speed; and the re-composing of applications enabling experimentation and demands to support new delivery platforms such as...