Session authentication is mostly used for AJAX clients that are running in the same session context as a website.
A client usually authenticates with its credentials and receives a session_id (which can be stored in a cookie) and attaches this to every subsequent outgoing request. So this could be considered a “token” as it is the equivalent of a set of credentials. It is just an identifier and the server does everything else.
HttpSdk class implements a mechanism to save automatically cookies embedded into SET-COOKIE header in each response.
If a cookie object is stored locally, then every request will contain a COOKIE header with this value.
Sdklib provides an abstract method for login purposes.
- .login(self, **kargs)
Do a POST request to LOGIN_URL_PATH using parameters passed to method.
Sometimes, you’ll need to make sure you include a valid CSRF token for any “unsafe” HTTP method calls, such as PUT, PATCH, POST or DELETE requests.
HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.
All requests must be signed. The signing process is a simplified version of the 2-legged Oauth protocol.
Every HTTP request to the API must be accompanied by two authentication headers: Authorization and Date.
The X-11Paths-Date header¶
The X-11Paths-Date header contains the value of the current UTC date and must have the following format:
- yyyy is the year.
- MM is the number of month.
- dd is the number of day.
- HH is the hour in 24h format.
- mm is the minute within the hour and ss is the second within the minute.
All values must be zero-padded so that they are all 2 digit values except for the year which is 4.
It is very important that the value and format of this header is the exact same used in the process of creating the requestSignature for the authorization header as explained above.
Note you can still use the standard HTTP Header Date in whichever format you want, such as RFC 1123. Just make sure to not confuse both and always use the value you use in X-11Paths-Date in the signature process. The API will ignore the standard Date header.