A Web Services session allows the Web server to keep track of a specific user through a session token. The session token is a unique identifier for an authenticated user in a Web Services session. You start a new session and get a new session token through the loginUser operation.
For Web Services, some operations only require that you identify a specific user for the session (these are called Authenticated operations). Authenticated operations only require a valid session token.
Some operations require that you identify a specific user so that the user’s access permissions can be verified (these are called Privileged operations). For example, the server will not allow one user to access another user’s personal information without authorization. These privileged operations require a valid session token and additional SirsiDynix Symphony user rights.
A few operations do not require any user identification (such as license and version) and therefore do not need a session token.
What is a session?
In Web Services, a session caches information for a specific user with specific privileges and (optionally) a specific workstation policy. This improves performance interacting with the ILS server and eliminates the need for you to specify credentials repeatedly for multiple operations.
The Web Services session is independent of any sessions managed by the application server (Tomcat sessions, for example).
Session usage
Your application can open and manage multiple sessions simultaneously. You may open more than one session for the same user. You may use the same session token for multiple operations so long as the associated privileges are sufficient for the operations you request.
The user associated with a session token is known as a session user. It is the session user’s privileges that determine if you have sufficient permissions to complete a privileged operation. For example, if the session user is a patron, that user will not have permission to work with data that requires staff privileges.
The session user may be different than the user that is the object of a specific request. For example, you might log in a staff user and use the returned session token in one or more lookupUserInfo operations to look up information about different patrons—so long as that staff user has sufficient permissions to perform the requested operations.
In general, if the user that is the object of a request is different than the session user, the session user must have a privilege level of STAFF or higher. (For more information about privilege levels, see PrivilegeLevel.)
For more information about specific permissions, refer to the WorkFlows Java client help or consult with a library system administrator.
You end a session with the logoutUser operation. You are strongly encouraged to use the logoutUser operation to close sessions that are no longer needed; this frees up resources on the server. If you don’t log out, the session remains open on the server until it expires.
A session example
An example will help to illustrate the sequence of calls required to complete privileged or authenticated operations.
Suppose your application provides a way for a patron to display the number of items he or she currently has checked out. Displaying a user’s information is a privileged operation. Because privileged operations require a session token, you must create a session.
1 | Collect the patron’s credentials (login and password). |
2 | Submit the login and password in a loginUser request to start a new session. |
3 | If the patron is a valid library user, the server returns LoginUserResponse with a new sessionToken and the patron’s userID. |
4 | Submit a lookupMyAccountInfo request using the sessionToken, with includePatronInfo and includePatronCheckoutInfo set to true. |
5 | The server returns LookupMyAccountInfoResponse with information about the patron, including the number of items currently checked out. |
6 | At this point, you could perform other operations with the same sessionToken or submit a logoutUser request to terminate the session. |
Related topics
© 2009-2012 SirsiDynix