RESTFul service has a rule that it should be stateless. By beeing that it does not allow a session to be created and maintained by sending a session key between the client and the server and then holding a session state on the server.

If i look at the definition in wikipedia of stateless server http://en.wikipedia.org/wiki/Stateless_server

"A stateless server is a server that treats each request as an independent transaction that is unrelated to any previous request"

It states that it should be unrelated to any previous request. In practice this means that any type of authentication will be comparing the credentials of a user to a state on the server that was created by a previous operation.

So a service called login is related to and dependent on the state that has been created by previous requests (ex: create_user and/or change_password).

In my view you are breaking statelessnes by doing authentication. My point is that people are complaining about having sessions in RESTFul is breaking statelesness but doing authentication is also breaking the same rule.

What do you think?