User session terminated when consuming two REST requests

I'm trying to POST a REST request through an API, but beforehand I need to authorize myself with an additional GET request (which gives me a token in response). The problem is that Mendix terminates the user session after my first (GET) request and causes my token to be invalid for my next (POST) request. I was hoping one of the fixes in release 7.14.1 would solve the problem, but I'm afraid this is only fixed for the REST Publish functionality instead of the Consume functionality. See the note below: "We fixed the issue with session authentication for REST services where the user session was terminated after the first request to the REST service." Has anybody else encountered this problem when using multiple requests with a REST Consume service?
1 answers

Hi Milan,

First of all, thanks for reaching out.


Let me try to understand what exactly are you facing.

You have a Published REST service that requires authentication and has "Active session" as authentication method? Like in the image below?

Then you are trying to access this service by using a REST Consume action?


This type of authentication is built to be used in the context of the browser; to help load data with JavaScript. For it to work, It requires the cookie to be available in the browser and additional CSRF token to be passed with every request. If you don't have the cookie or the token it will not work.

General flow for this authentication type is for some user to login into the application and by that create  a session. When user logs in, session cookie is saved in the browser and that cookie can later be reused by the app to validate the users identity. Previously this only worked with normal pages. You could open different pages while still being logged in. Now we have expanded this to also work with rest services. But for it to work, you still need to be in the browser. So it is only possible to access the service from JavaScript.

You can take a look at the reference documentation how to access the service from you client side code (section 3.2).

If you are using "Username and password" authentication, that requires you to send username and password with every request because by default REST services don't have a concept of session. They are request based and every request needs to be authenticated and authorized by itself.

Hope this helps.