Tech Tip: Avoid Rest Direct Access Session Flooding
PRODUCT: 4D | VERSION: 21 | PLATFORM: Mac & Win
Published On: March 26, 2026
When unauthenticated HTTP requests hit the 4D built-in REST server, the Administration window can quickly become overwhelmed by hundreds of "REST Direct Access" entries with no associated users
Restart the 4D Server to clear all existing REST Direct Access sessions immediately.
To stop new sessions from being created, set $0 := False in the On REST Authentication database method or add a proper authentication :
Ensure client applications reuse the WASID4D cookie, details are in https://blog.4d.com/a-better-understanding-of-4d-rest-sessions/ . If REST is not required, disable global exposure in Database Settings > Web > Web Features and uncheck “Expose as REST resource” on every table in the Structure Editor.
To enhance overall firewall security, permit HTTP traffic only from trusted IPs instead of leaving it open to the world.
Restart the 4D Server to clear all existing REST Direct Access sessions immediately.
To stop new sessions from being created, set $0 := False in the On REST Authentication database method or add a proper authentication :
| #DECLARE($url : Text; $header : Text; $ipB : Text; $ipS : Text; \ $user : Text; $pw : Text)->$accept : Boolean If (your logic : check header, token, IP, etc ...) $accept:=True Else $accept:=False End if |
Ensure client applications reuse the WASID4D cookie, details are in https://blog.4d.com/a-better-understanding-of-4d-rest-sessions/ . If REST is not required, disable global exposure in Database Settings > Web > Web Features and uncheck “Expose as REST resource” on every table in the Structure Editor.
To enhance overall firewall security, permit HTTP traffic only from trusted IPs instead of leaving it open to the world.