Stick to my REST guns or violate statelessness? Consultation needed

I wrote a RESTful servlet, and the user interface designer wants to save the login state on the server.

He made this strange statement: "I have not come across a realistic REST implementation, which is pure REST. The ones I saw had a server that supports the session."

I find it hard to accept. Firstly, there is a technicality that there are a lot of simple HTTP pages, everything is purely RESTful. Secondly, yes, there are non-RESTful implementations designated RESTful, just like brass labeled “gold”. Thirdly, just because everyone else is jumping from the bridge, this does not mean that I should.

Background: This is an Ajax JavaScript web application using HTTPS and basic authentication. To avoid the usual pop-up login window (not standardized), the application displays a login screen with a product logo and text fields for username and password. The name and password are stored in the document and sent in the authorization header for each request. If you refresh the page, the username and password will be lost, and the user must enter them again. This considered a mistake; the user interface designer wants to be able to click the refresh button without re-entering the password.

Therefore, the developer wants to use a cookie or JSP session. Abby, is it true that at the end, every REST implementation maintains the state of the application on the server? Or can I solve this problem and keep my RESTful clean?