REST API: What is the point of sessions? Why use them?
I'm toying around with using the REST API and I have been wondering what point there is to registering and using a session in practice.
I did read the documentation and it does describe how to create, maintain, reassign, delete a session and see current sessions; I get that. What I don't get is what I gain from using them because it doesn't seem like they let you remained authed: you still need to provide your tokens for other requests that actually need it.
I did take a look at what the generated eHMI pages do with sessions and it seems they register one before even logging it through the dialogue (so no Auth needed for those) and then it refreshes it every 2 or 3 seconds. But the returned data is just apiVersion, projectCRC, sessionID, userAuthenticationRequired; none of which sounds particularly useful to me
Do they do something behind the scenes on the backend or is there a way to manage authentication through them?
Comments
it doesn't seem like they let you remained authed: you still need to provide your tokens for other requests that actually need it.
If the authentication token still works, then you remain authorised - you don't need to provide your credentials again, just the authentication token. When the session expires, the authentication token won't work any more. Without a session, you'd have to provide your credentials with every request.
That's my understanding based on my limited knowledge of REST and some googling.
If you need more details I will ask the developers, but I think they haven't done anything unusual in this REST implementation.
That's what I assumed a session in API would do too: leave you authed for later requests. But it doesn't seem to do that in this case at all, that's what motivated my question.
According to the docs and what I can actually do toying with the API, it doesn't take any auth data
This creates a session succesfully (and the eHMI does the same thing before we even input user and password). So I was wondering what good could creating that session do me if it won't say "you're authed, no need to provide token every time". Doing a variables request after that without providing token and providing sessionID results in 401 Unauthorized (of course, since this session wasn't created with auth, no way it means we're authed)
After your comment I did try "what if I can give the session creation a token even if not mandatory and not documented" but it didn't work either.
One hypothesis I had is that it is meant to do exactly that in the future: let you remain authorised. But that it hasn't been implemented yet or is bugged. Another one is that sessions do <something> not having to do with auth but what that something could be I don't know.
I would like to know if it's not a nuisance but it is nothing time urgent or sensitive or that is stopping me from making an actual real life project. It was mostly that I'm trying to make a small showcase/guide for the API for people with a non-IT and more traditional industrial controls background like me from what I've managed to learn and I was trying to fill this gap in my knowledge
Here is an answer from one of the developers of the REST API. I have highlighted one of the key points.
A session is a context that is used to keep associated resources alive. Examples are groups and trends. A session is independent of the authentication context: it is possible to have a group associated with a session in applications that do not use authentication, such as in air-gapped networks within a machine. When the session times our or is deleted the associated resources (groups, trends, etc.) get cleaned up as well.
Oooh so that was it, useful to clean up after yourself in one go or with a timeout. Thanks, Martin! And thanks to the developer