What is the best practice to validate sessionToken without having to recreate a new sessionId each time? Skip to main content
https://support.okta.com/help/answers?id=9062a000000quedqa0&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Ryan WeissRyan Weiss 

What is the best practice to validate sessionToken without having to recreate a new sessionId each time?

I would like to validate the user upon every API request, and I believe this means making a GET request to https://{{url}}.oktapreview.com/api/v1/sessions/{{sessionId}}. However, I think it is unsafe to store the sessionId on the client side (ie. a cookie), and we are trying to avoid having to store anything server-side, so I'm wondering if there is some built in way to validate sessionTokens. Does anyone know the proper protocol for validating a user that has a client-side sessionToken, that we pass to the server each request? 
Would this require us to store the sessionId on the server somewhere (ie. database or memory), associated with the given sessionToken?

Thank you,
Ryan

VictorVictor (Okta, Inc.) 
Hi Ryan! 

Indeed, to create an Okta session you will need to use the call specified here http://developer.okta.com/docs/api/resources/sessions.html#create-session-with-session-token. Once you have the session Id in response to this call. Send it in the header of your API call. In backend you can make the call to GET /sessions/<sessionID> using the session id you sent in header http://developer.okta.com/docs/api/resources/sessions.html#get-session, to make sure it is still valid. This will also give you user information. Please not if you are making the call from browser you can use http://developer.okta.com/docs/api/resources/sessions.html#get-current-session to get current session as well. 

If you use a Sign widget then a second approach will be to use OpenID/OAuth from login widget. You would need to create Open ID app in Okta if you have not already (we would need to enable Open ID for your org before). Link for OIDC/OAuth http://developer.okta.com/docs/api/resources/oidc.html and http://developer.okta.com/docs/api/resources/oauth2.html. See this section on how to get id token/access token http://developer.okta.com/code/javascript/okta_sign-in_widget_ref.html#oidc-options. Access token will be best suited for your need. Once yo haev the access token you can send it via Authorization header as "Bearer <AccessToken>". Backend will retrieve it and give access based on the valid access token or make the call to GET /userinfo endpoint http://developer.okta.com/docs/api/resources/oidc.html#get-user-information to get the user info for whom access token was generated. 

 If you have further questions, feel free to open a case with us.