Authenticating REST API sessions

When you start a REST API session, you use the POST method to access theloginresource of the switch and pass the username and password information as data. Ensure that HTTPS is configured to use port 443. Requests to port 80 are redirected to port 443.

If the credentials are accepted, your authenticated session is started for that username, and the switch returns a cookie containing encoded session information.

In subsequent calls to the API—including to thelogout资源会话cookie传递回switch.

The same session cookie is shared across browser tabs, and depending on the browser, multiple browser windows. However, the same session cookie is not shared across devices and scripts. For example, if a user logs into the Web UI from a laptop, again with a tablet, and then uses the same user name in a curl command, that user has three concurrent client sessions.

NOTE:

The maximum number of concurrent HTTPS sessions per user per switch is six. There is an upper limit of 48 total sessions per switch. It is a best practice to log out of HTTPS sessions when you are finished using them.

HTTPS sessions will automatically time out after 20 minutes of inactivity, and have a hard time limit of eight hours, regardless of whether the session is active. You can run thehttps-server session close allcommand to close all current HTTPS sessions. For more information about using the command, seehttps-server session close all.

Authentication through methods other than the session cookie, such as OAuth or certificates, is not supported. The server uses self-signed certificates.

The procedure to pass the session cookie back and forth from the switch depends on how you access the REST API.

For example:

  • If you log in to the REST API using theAOS-CXREST API Reference or using the Web UI and open the API Reference in another browser tab, the browser handles the session cookie for you. You do not have to save or otherwise manage the session cookie.

  • If you access the REST API using another method, such as the curl tool, you must do the following:

    • Save the session cookie returned from the login request.

    • Pass that saved cookie to the switch with every subsequent request you make to the REST API, including thelogoutresource.

    IMPORTANT:

    Although it is possible to pass the user name and password information as a query string in the login URL, browser logs or tools outside the switch might save the accessed URL in cleartext in log entries. Instead,Hewlett Packard Enterpriserecommends that you pass the credential information as data when using programs such as curl to log in to the switch.

    For examples of accessing the REST API using curl, seeAccessing the REST API using curl.