Skip to content

API Sessions

Jump to bottom
Lukas Metzger edited this page Mar 16, 2018 · 4 revisions

Sessions

Sessions are used to authenticate subsequent request from a client. For the created session the client receives a token. This should be provided in the HTTP header X-Authentication for the following requests. The server can check with that token of the client authenticated before, and is also able to retrieve the user-id of that user from memory. The session should time out if no request occurs for a defined time.

Session information can be stored in PHP APCu for persistence between calls. While this approach requires the PHP-APCu extension to be present it does not rely on the PHP Session and is therefore also possible for clients which do not handle cookies.

Add a new session

POST /sessions

The provided token should be 64 byte (512-bit) of cryptographic strong entropy, encoded with base64.

Body

{
  "username": "foo",
  "password": "bar"
}

Response

code result
201 Everything okay, session was created
403 User credentials are not correct
422 One of the required fields is missing 
{
  "username": "foo",
  "token": "3X6x4Osgm1rFuujAv6fqf0O/ITlXJ3ChlvKdEnUy/kNZ/Dlzzr2sZ6OalqkFYRrgSulyL0e4E7DJf4NW35mpyQ=="
}

Delete Session (Log out)

code result
204 Everything okay, therefore the answer has not content
404 Session was not found

DELETE /sessions/{token}

Clone this wiki locally