Right now, for normal API access, you do the following: 1. Make a call to the session API to get a session using a token. 2. Use the session cookie for calls to the other API methods.
If the client already has a session cookie associated with the same IP address (somehow), then it could use that cookie for access to the API methods as well, and just skip step 1. The API methods would be run as the user that the cookie belongs to. Just the fact that a client is running on the same PaaS environment doesn't mean that it will have a session cookie. I don't think CBA necessarily gets this for you either, but javascript running in the authenticated web app actually would have a valid session cookie attached to its requests. Is there are a particular scenario you are considering? Ethan On Mon, Nov 21, 2011 at 5:33 AM, Richard Hirsch <[email protected]>wrote: > Currently, our REST API is token based. What happens when a web-based > ESME client and the ESME server are both running on the same PaaS > environment. Do we need a REST call that gets a token based on a user > logged-in via CBA. > > Thoughts? > > D. >
