- authenticated api calls save user to session and set flag api_authenticated_session - sessions with such flag allow posting requests without CSRF token - api sessions exipre the same way as UI sessions - api sessions don't store any additional data to keep the requests stateless
This way the standard UI requests as well as API requests authenticated with session created from UI remain protected against CSRF. At the same time applications using API (such as hammer) can benefit from using session authentication and avoid the need of storing two tokens (CSRF and _session_id).
Fixes #17487 - support sessions for api calls
- authenticated api calls save user to session and set
flag api_authenticated_session
- sessions with such flag allow posting requests without CSRF token
- api sessions exipre the same way as UI sessions
- api sessions don't store any additional data to keep the requests
stateless
This way the standard UI requests as well as API requests authenticated
with session created from UI remain protected against CSRF. At the same
time applications using API (such as hammer) can benefit from using
session authentication and avoid the need of storing two tokens
(CSRF and _session_id).