[jholman]

Which part of logins and cookies is RESTful?

Fielding's REST requires that the protocol be "stateless"... not that there be no state, but that the client and the server need not keep track of each other. Cookies, as Fielding explicitly calls out, are in violation of this principle. Every website that uses cookies is not RESTful.

Some people might conclude from this that FB, Amazon, and HN are "not good", because they're not RESTful. I personally conclude something else, but YMMV.

[adam419]

The RESTful principle actually just declares that request response cycles and server-client interactions don't have to be stateful, not that it's necessary they're stateless.

It's still possible to use sessions and other ways of maintaining client state while adhering to other stateless principles such as indempotency of certains types of requests.

[colin_jack]

I don't really think that's always true, if the cookie merely has a session ID then the session itself can be stored server-side (not necessarily in memory of course) and in fact could be a resource in its own right.

Also deciding to put the session ID in a cookie not the URL is purely a pragmatic approach (e.g for security reasons).