Since traditional https://username:password@version_2_api calls (API v1 style) are still possible in API v2, what is the advantage of creating a session_id? In order to create a session id, one must still include their username & password in the API call. This all may be moot since the traffic is encrypted (https). Do session id calls not affect API call limits?
What advantage does using a session_id (which expires) over the traditional credential login (username:password@..)?
Hi ghee22,
As I can see you are still pretty active with the API these days
So basically there is one advantage to use the session based type of authentication with v2.0: it triggers the reprocessing of the data. Basic auth don't do that.
What it means is that when a scan is scheduled and the results are uploaded from the scanner to the platform, we need that a user logs in and unlock the encryption key to process the results in the subscription.
API 2.0 used with session based authentication will do exactly the same as a user opening a UI session.
I ghee22,
Does it answer your question ?
Yes, thanks Eric!
Can any of you tell me how do I get my session id?
If you need a "concrete" example you look for a POST from me somewhere in this community that does powershell to download the list of users and permissions in Qualys; I think that is using a session cookie.
Basically you make one call to login to Qualys and depending on what your using CURL for example you can write the cookies to a file i.e. a cookie jar. Now all subsequent requests you pass in the cookie.jar which has the token.
If you need for some reason a script to do things as different users you could login as all the users you need and pass the sessions around.
Let me know if you have trouble finding the posts and I will get some CURL commands together for you.
David
Hello Pierre, See pages 20-21 of the V2 Guide: https://www.qualys.com/docs/qualys-api-v2-user-guide.pdf There is an example there. You manage the cookie in subsequent calls to include in the header.
Hi ghee22,
As I can see you are still pretty active with the API these days
So basically there is one advantage to use the session based type of authentication with v2.0: it triggers the reprocessing of the data. Basic auth don't do that.
What it means is that when a scan is scheduled and the results are uploaded from the scanner to the platform, we need that a user logs in and unlock the encryption key to process the results in the subscription.
API 2.0 used with session based authentication will do exactly the same as a user opening a UI session.