Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make use of session in REST API

Tags:

rest

php

i saw in some company REST web-service documentation ,in step1 asking for APIkey and they will return server time and expiry time and auth_key as a response. In step2 for login user name password and md5 of both apikey and auth_key it will return session id . In remaining step user only to send session id. how it possible?by session ? i'm confused,please help me anyone regarding this

like image 262
Arun Avatar asked Apr 09 '16 08:04

Arun


People also ask

Can I use session in REST API?

Each REST API call by a client is associated with a web service session. A session is created when client calls Login API and stays active until it times out or is logged out. When the session is created, a session ID that looks like a GUID is generated and assigned to it by the server.

How do I start a session in API?

Post a session token to this API endpoint to start a session and set a cookie to log a user into an app. This API endpoint works within a login flow in which your app server calls the Create Session Login Token API to generate a session token.

What is session in API?

An API session is a temporary unique identifier tied to a company ID, user ID, possibly an entity (via location ID), and an endpoint URL. An API session is used as an alternative authentication method to avoid effectively logging in with company credentials for each API call.


1 Answers

They aren't actually making use of a session in the sense of a PHP session_start(). What they're really doing can be explained in a few steps:

  1. You ask for an API key:
    1. The service then generates an auth_key with a lifetime
    2. Saves the generated api key, auth_key and expiry to a database table. The api key is very likely a UNIQUE index on the table.
    3. Sends a response to the user containing the generated api key, auth_key and the expiry of the keys.
  2. You send your login details, along with the md5(api_key . auth_key): I expect that you likely also send the api key along in a header.
    1. It first uses the received api key to query the database table
    2. Retrieves the auth_key value and expiry
    3. Checks that the auth_key has not expired; if it hasn't
    4. Computes the md5(api_key . auth_key)
    5. Compares it to the md5(api_key . auth_key) from your request
    6. If it is the same, then it checks your login details
    7. If the login details are correct, it generates a unique session_id associated to the authenticated account
    8. It saves these details to another database table: session_id, account_id. I'm using account id here because it's the most likely to use.
    9. It returns this session_id to your client
  3. Every request you send after that with the session_id then works like so:
    1. It retrieve the session_id from the request
    2. It tries to retrieve the account associated to the session_id from the database
    3. If found/valid and you have access/permissions to perform the operation, it executes the command.

In summary, that is the entire flow; which is why I said earlier that it doesn't use sessions in the way sessions work when you do a session_start(); meaning they can't do something like $_SESSION. You should also know that trying to do sessions using session_start for a RESTful API is NOT RESTful.

Update due to Rajan's comment

This answer was just an explanation based on the question; you shouldn't think too much about it. To answer your question; look at the API key, and Auth key as 2 parts of a process that helps identify a user:

  • one public: API key
  • one private: Auth key

Every time you send a request, you send the public key, and a string generated from combining the public, and private key. The server takes the public key, searches for a valid private key, and tries to compute the value using the same formula, then finally compared what it generates, to what you generated.

If they're the same, it continues processing; if they're different, it terminates execution.

The validity of the session id above can be anything you want, usually it'll be long-lived (can probably last up to 30 days).

like image 136
Emmanuel Okeke Avatar answered Oct 02 '22 16:10

Emmanuel Okeke