i saw in some company REST web-service documentation ,in step1 asking for APIkey and they will return server time and expiry time and auth_key as a response. In step2 for login user name password and md5 of both apikey and auth_key it will return session id . In remaining step user only to send session id. how it possible?by session ? i'm confused,please help me anyone regarding this
Each REST API call by a client is associated with a web service session. A session is created when client calls Login API and stays active until it times out or is logged out. When the session is created, a session ID that looks like a GUID is generated and assigned to it by the server.
Post a session token to this API endpoint to start a session and set a cookie to log a user into an app. This API endpoint works within a login flow in which your app server calls the Create Session Login Token API to generate a session token.
An API session is a temporary unique identifier tied to a company ID, user ID, possibly an entity (via location ID), and an endpoint URL. An API session is used as an alternative authentication method to avoid effectively logging in with company credentials for each API call.
They aren't actually making use of a session
in the sense of a PHP session_start()
. What they're really doing can be explained in a few steps:
auth_key
with a lifetimeapi key
, auth_key
and expiry
to a database table. The api key
is very likely a UNIQUE index on the table.api key
, auth_key
and the expiry
of the keys.md5(api_key . auth_key)
: I expect that you likely also send the api key
along in a header.
api key
to query the database tableauth_key
value and expiryauth_key
has not expired; if it hasn'tmd5(api_key . auth_key)
md5(api_key . auth_key)
from your requestsession_id
associated to the authenticated account
session_id
, account_id
. I'm using account id here because it's the most likely to use.session_id
to your clientsession_id
then works like so:
session_id
from the requestsession_id
from the databaseIn summary, that is the entire flow; which is why I said earlier that it doesn't use sessions in the way sessions work when you do a session_start()
; meaning they can't do something like $_SESSION
.
You should also know that trying to do sessions using session_start
for a RESTful API is NOT RESTful.
This answer was just an explanation based on the question; you shouldn't think too much about it. To answer your question; look at the API key, and Auth key as 2 parts of a process that helps identify a user:
Every time you send a request, you send the public key, and a string generated from combining the public, and private key. The server takes the public key, searches for a valid private key, and tries to compute the value using the same formula, then finally compared what it generates, to what you generated.
If they're the same, it continues processing; if they're different, it terminates execution.
The validity of the session id above can be anything you want, usually it'll be long-lived (can probably last up to 30 days).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With