Chapters1 Session Identification
When using the REST API, a session is identified by the session secret cookie and the session id, which must be sent as query parameter sid. This ensures that
- A session can never be fully identified by URLs (because the session secret is not part of the URL)
- One client may have multiple sessions. They share the same session secret, but use different session ids
2 Authentication with credentials
To login with credentials, the client must
POST /rest/auth/login
{
"login": ...,
"password": ...
}
The response will be of the form
{
"sid" : "1022",
"user" : {
"id" : 34,
"description" : "",
"login" : "editor",
"email" : "",
"firstName" : "Max",
"lastName" : "No-Publish"
},
"responseInfo" : {
"responseCode" : "OK",
"responseMessage" : "Successfully performed login"
}
}
Note that the “User-Agent” has to be set in the header of the request as it will be saved in the session, otherwise the login will fail.
Additionally, the session secret cookie will be set to the client.
3 Logout
A logout can be performed with the following request
POST /rest/auth/logout/{sid}
in the response, the session secret cookie is removed.