Session management

REST API Reference Guide for Virtual Storage Platform 5000, Virtual Storage Platform E Series, and Virtual Storage Platform G/F Series

Part Number
In the REST API, a session is used to identify multiple requests as a series of operations to be performed by the same client. For example, if a user wants to use the same account to run two client programs in parallel, the user must generate a session for each client program. On the REST API server, each program is identified based on session information. In addition, when the REST API is used to exclusively lock the resources to be operated, the REST API controls the locks on a session basis.

A session is always generated when a REST API client accesses the REST API server and starts an operation on a storage system. After a session is generated, a session ID and token are returned to the client. In subsequent operations, specify the token for the Authorization header of each request, as authentication information. To terminate operations from a REST API client, discard sessions to prevent sessions that are no longer required from remaining on the server.

Generating a session

A REST API session is created when the user runs the API that generates a session. A user can generate multiple sessions. The maximum number of sessions that can be used is 64 per storage system.

After the session is generated, the following information is returned to the client as a response:
  • Session ID

    ID used for identifying a session on the REST API server. A session ID is used to check whether the session is valid or to discard the session. The user who created the session, or a user who belongs to the Administrator user group (built-in user group) can view the session ID.

  • Token

    Information that is used to identify the source that issues requests as a specific user. A token is used to decide whether the request is issued during the same session. Only the user who created the session can view the token.

Running an API request by using a session

To use a session to run an API request, specify a token for the Authorization header of the request as authorization credentials. The requests for which the same token is specified are handled as the operation during the same session. The following is an example of specifying the Authorization header with a token specified.

Authorization : Session d7b673af189048468c5af9bcf3bbbb6f

If a session goes unused for a certain period of time, it is automatically discarded (session timeout). The time that elapses until a session timeout is the time that has elapsed since the session was generated or the execution result of the request for which the session was specified was returned. The wait time during synchronous processing and the wait time for the response of an asynchronous processing API request are not included in that time. If a request that uses that session is issued during the time that elapses until a session timeout, the time is reset. The time until a session timeout is 300 seconds (5 minutes) by default. However, you can specify the time until a session timeout when a session is generated.

To prevent the session for an operation that is in progress from being discarded by a timeout, periodically issue a request that uses the session.


If the information (such as the role and resource group) about the user who generated the session is changed while the session is being used, the changes are applied to the operation even while the session is being used. If the password of the user who generated the session is changed, the session might be discarded.

Discarding a session

If you no longer need to manage sessions after finishing a series of operations, discard the sessions. Sessions can be discarded only by the user who generated the sessions, or a user who belongs to the Administrator user group (built-in user group) .

If you have locked the resources by specifying a session, the resources will be unlocked when the session is discarded.