REST API - Session Managment

Forum for users and developers of Bullhorn's new REST API service.

Moderators: StaffingSupport, s.emmons, BullhornSupport

Post Reply
alabuschagne
User
Posts: 1
Joined: Wed Dec 31, 1969 8:00 pm

REST API - Session Managment

Post by alabuschagne » Fri Aug 03, 2018 7:10 am

I would really appreciate some advise on best practices for managing sessions.

Let me start by explaining the problem I'm trying to address:
As a fairly large consumer of your API and as such, we generate multiple concurrent sessions. We currently have a session broker responsible for managing session lifetimes and generating new sessions. This broker will monitor the TTL of a session and request new access tokens/refresh tokens when needed. However, due to some race conditions, the last token pair stored may not be the last pair generated and in so doing, invalidates all future requests, because we essentially lost the token pair that generated the last good session.

I'm hoping these questions would us get to a solution:
1) Is it possible to have multiple sessions in play for a client at the same time (i.e. does a new session invalidate another one)? I'm trying to determine if it's better to manage the oauth tokens as opposed to the sessions. In other words, each request per client may use the same access tokens but will generate it's own unique session.
2) Is there any difference between using a global user session (an API user) or a session generated for an individual (corp_id/user_id)? I'm trying to determine if it will be easier to use a single account for API authentication compares to authenticating each user.

Thank you in advance for this and sorry if it's a bit vague/unclear.

MdillBH
User
Posts: 2
Joined: Tue Jan 24, 2017 8:48 am

Re: REST API - Session Managment

Post by MdillBH » Mon Aug 13, 2018 4:09 pm

Hello Alabuschagne,

1) It is not possible to have more that one concurrent session with a given set of credentials (client id, secret, api user, etc.).

2) There isn't really an difference between the API users and and the user sessions, except they are likely to not have the same level of permissions. I'm not sure what the nature of your application is, but If you used individual users, you would be able to have a session for each person.

Post Reply