Making authenticated requests to REST Server

You can make authenticated requests to REST Server using standard Drupal session-based security with no effort on your part. This is managed through session cookies. However when doing this from code (for instance when using drupal_http_request() or cURL), you may need to go through some extra work and set the cookie header by hand. The cookie header looks like this:

Cookie: SESS5913ad7ed2adf92cab1103dad2f5596c=213d28535c6972e16430a4e1e03ce7ea

This has three parts. The head identifier ('Cookie'), the session name ('SESS5913ad7ed2adf92cab1103dad2f5596c'), and the session id ('213d28535c6972e16430a4e1e03ce7ea'). Thankfully, when you call the user/login resource in Services, both the session name and session id are part of the response object, so it is pretty easy to put this header together and return it with the next request. Once you've done that, the next request will act under the authorized user's session.

Here is some sample code that demonstrates this. To set this up you will need a Drupal installation setup with an endpoint that has the user/login and node/retrieve resources enabled, and which does not give the anonymous user 'access content' restrictions.

Example: Drupal 7

Tested against 7.x-3.0-rc1.

<?php
$base_url = 'http://localhost/test_endpoint';
$data = array(
  'username' => 'admin',
  'password' => 'password',
);
$data = drupal_json_encode($data);
$options = array(
  'headers' => array(
    'Content-Type' => 'application/json',
  ),
  'method' => 'POST',
  'data' => $data
);

$response = drupal_http_request($base_url . '/user/login', $options);
$data = json_decode($response->data);

// Check if login was successful
if ($response->code == 200) {
  // Now recycle the login cookie we received in the first request
  $options['headers']['Cookie'] = $data->session_name . '=' . $data->sessid;
  
  // Get info about a user 
  $data = array();
  $options['data'] = http_build_query($data, '', '&');
  $options['method'] = 'GET';
  $response = drupal_http_request($base_url . '/user/32', $options);
}
?>

Parameters for drupal_http_request have changed in Drupal 7. Services 3 have different user login variables that need to be POSTed between each version of Drupal.

Example: Drupal 6

Tested against 6.x-3.0-beta2.

<?php
// This is the base URL for our installation
$base_url = 'http://domain.com/test_endpoint/';
// necessary or the response is empty:
$headers = array('Content-Type' => 'application/x-www-form-urlencoded');
// Login
$data = array(
  'username' => 'admin',
  'password' => 'password',
);
$data = http_build_query($data, '', '&');
$response = drupal_http_request($base_url . '/user/login', $headers, 'POST', $data);
$data = json_decode($response->data);

//$headers['Cookie'] = "$data->session_name=$data->sessid";
$response = drupal_http_request($base_url . '/node/21.json', $headers); // replace this with a node id on your system
print_r(json_decode($response->data));
?>

Note that the line which sets the cookie header is commented out. If you run this code you will get access denied when you try and access node 21 . Now uncomment the cookie header line and run again. It works! You can save the session name and session id somewhere convenient and use it for all future calls as needed.

This same method can be used in Drupal 7 to make authenticated calls via XMLRPC. In Drupal 6 this is not possible without this core patch.

Note that most cookies have expirations or may only be active for one session. You should respect these limitations and take them into account when building your system (although doing so is beyond the scope of this code sample.)