12

I saw in some company REST web-service documentation ,in step1 asking for APIkey and they will return server time and expiry time and auth_key as a response. In step2 for login user name password and md5 of both apikey and auth_key it will return session ID. In remaining step user only to send session id. how it possible?by session? I'm confused, please help me anyone regarding this.

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Arun
  • 143
  • 1
  • 1
  • 5
  • 1
    How is what possible, exactly? – IceFire Apr 09 '16 at 08:12
  • i'm new to the REST API so i searched to make use of Session in REST API :some answers in stack overflow i seen that ,using of session in REST API not possible, because we not receiving direct request from browser so difficult to maintain session.but in this documentation they said about session id,that's why i confused,its possible or not – Arun Apr 09 '16 at 08:30

1 Answers1

26

They aren't actually making use of a session in the sense of a PHP session_start(). What they're really doing can be explained in a few steps:

  1. You ask for an API key:
    1. The service then generates an auth_key with a lifetime
    2. Saves the generated api key, auth_key and expiry to a database table. The api key is very likely a UNIQUE index on the table.
    3. Sends a response to the user containing the generated api key, auth_key and the expiry of the keys.
  2. You send your login details, along with the md5(api_key . auth_key): I expect that you likely also send the api key along in a header.
    1. It first uses the received api key to query the database table
    2. Retrieves the auth_key value and expiry
    3. Checks that the auth_key has not expired; if it hasn't
    4. Computes the md5(api_key . auth_key)
    5. Compares it to the md5(api_key . auth_key) from your request
    6. If it is the same, then it checks your login details
    7. If the login details are correct, it generates a unique session_id associated to the authenticated account
    8. It saves these details to another database table: session_id, account_id. I'm using account id here because it's the most likely to use.
    9. It returns this session_id to your client
  3. Every request you send after that with the session_id then works like so:
    1. It retrieve the session_id from the request
    2. It tries to retrieve the account associated to the session_id from the database
    3. If found/valid and you have access/permissions to perform the operation, it executes the command.

In summary, that is the entire flow; which is why I said earlier that it doesn't use sessions in the way sessions work when you do a session_start(); meaning they can't do something like $_SESSION. You should also know that trying to do sessions using session_start for a RESTful API is NOT RESTful.

Update due to Rajan's comment

This answer was just an explanation based on the question; you shouldn't think too much about it. To answer your question; look at the API key, and Auth key as 2 parts of a process that helps identify a user:

  • one public: API key
  • one private: Auth key

Every time you send a request, you send the public key, and a string generated from combining the public, and private key. The server takes the public key, searches for a valid private key, and tries to compute the value using the same formula, then finally compared what it generates, to what you generated.

If they're the same, it continues processing; if they're different, it terminates execution.

The validity of the session id above can be anything you want, usually it'll be long-lived (can probably last up to 30 days).

halfer
  • 19,824
  • 17
  • 99
  • 186
Emmanuel Okeke
  • 1,452
  • 15
  • 18
  • Since it has helped, you can mark this as the answer ;-) – Emmanuel Okeke Apr 11 '16 at 10:18
  • first time i'm asking question so i did not know ,thank you for your help ,i marked as answer :) – Arun Apr 11 '16 at 11:24
  • i will not get the client details like IP and Browser they using and which device they using because request made between server to server not between browser to server,so how i can get this details ,its possible without asking rest service requester? – Arun May 25 '16 at 05:59
  • You should check out the Wurfl project http://wurfl.sourceforge.net/. You can get all that information using it because Wurfl works by analysing the "User-Agent" header sent by the connecting client. – Emmanuel Okeke May 25 '16 at 17:53
  • @EmmanuelOkeke What is the diffrence between auth key and api key ? What are they used for ? And what should be the expected validity for session_id – Rajan Aug 07 '18 at 05:51