I have a web application that has many web services and an AJAX web client as well as some mobile clients. I won't call them RESTful web services, but I'm trying to get them closer.

One problem I have is that I am trying to avoid having any application state on the server. I have that with the exception of having an authenticated session. Nothing is stored in the session except for the user's "Subject" which knows whether or not it is authenticated and who it is authenticated as.

But I want to get all the way to having no session, but that means I have to authenticate with every request. My mobile clients have no trouble doing this. (In fact, they do it already.) However, this seems to be rather tricky from a browser.

If the ENTIRE application was in one web page, then you could just store the credentials in memory. However, if you have to go from one web page to another, it starts to get hairy.

Does anyone on this list have any best practices for avoiding having any session in web applications (Human to Machine) requiring authentication?

• New Members 3