Accessing user sessions

  • After users log in, their sessions are identified by a UST - User Session Token - which has its expiration time, i.e. time-to-live, that can be extended through a Python or REST call
  • There are three APIs to access user sessions: renew, verify and get. The difference between them is that:
    • Renew:
      • Checks that the session exists and if it does, it will renew it
      • On output, returns the session’s new expiration time
      • Can be used by both super-users and regular ones
    • Verify:
      • Only returns a boolean flag indicating that the session exists or not, it will not renew it
      • Does not extend the session’s expiration time
      • Can be used only by super-users
    • Get:
      • Checks that the session exists and even if it does, it will not renew it
      • On output, returns all the metadata about the session
      • Can be used only by super-users
  • Each call serves a different purpose:
    • Renew is used on behalf of users to extend their sessions
    • Verify is used by super-users to check if a given session exists without changing its expiration time
    • Get is used by super-users to get details of a session without changing its expiration time
  • On a higher level, calling get also implictly works like verify in that it returns data only if the session exists but using verify instead of get is more efficient in terms of CPU and RAM needed because only a boolean flag is returned instead of a whole set of metadata about the session
  • Note that it is not possible to renew a session if it’s already expired or if the underlying user’s password has expired
  • API call reference: