Using 1.2 api - Do I have to have site password to get information?

Dsweet · March 25, 2010

I wrote code to
call smugmug.login.anonymously and get a session id.
Then call smugmug.images.get which calls for:
SessionID - string.
AlbumID - integer.
Heavy - boolean (optional).
Password - string (optional).
SitePassword - string (optional).
AlbumKey - string.
I supply the SessionID, AlbumID,Password and AlbumKey.
The password is needed because the album is password protected.
I get an error:
"<?xml version=\"1.0\" encoding=\"utf-8\"?><rsp stat=\"fail\"><err code=\"4\" msg=\"invalid user (missing/incorrect site password)\" /></rsp>"
I didn't supply a site password! Why is one needed? The documentation states that it is optional! When one accesses the album through the smugmug website a site password isn't needed. Why is one needed here?
When I add the site password the call is successful, but I shouldn't have to supply it. I don't want to give the password away when I don't have to.
Can someone help me here?

devbobo · March 26, 2010

If you log in with the authenicated session as the owner of a site, you never have to supply passwords for access. But if you login with smugmug.login.anonymously, passwords are required to access info related to your site.

Does that make sense ?

Cheers,

David

Dsweet · January 6, 2011

devbobo wrote: »

If you log in with the authenicated session as the owner of a site, you never have to supply passwords for access. But if you login with smugmug.login.anonymously, passwords are required to access info related to your site.

Does that make sense ?

Cheers,

David

This use to work, but now it doesn't seem too:
I use the api to log in as the owner. That works and I get the sessionid.
I then pass the sessionid to:
https://api.smugmug.com/services/api/rest/1.2.2/?method=smugmug.albums.get&SessionID=xxx&NickName=dsweet&Heavy=1"

An error is returned:
"SmugMug Error calling smugmug.albums.get: invalid user (missing SitePassword parameter)"

Yes, there is a site password, but why do I need to supply it if I logged in as owner?

devbobo · January 6, 2011

since you are making the call over https, is your app sending the _su cookie ? If it isn't the session will be treated as anonymous.

Cheers,

David

Dsweet · January 7, 2011

devbobo wrote: »

since you are making the call over https, is your app sending the _su cookie ? If it isn't the session will be treated as anonymous.

Cheers,

David

OK, what is a _su cookie and where is there information about this?
Or, do I need to be sending it over https?
Or more generally, how important is it to use https over http when using the smugmug api?

Thanks,

David

Dsweet · January 11, 2011

Dsweet wrote: »

OK, what is a _su cookie and where is there information about this?
Or, do I need to be sending it over https?
Or more generally, how important is it to use https over http when using the smugmug api?

Thanks,

David

Any help available?

devbobo · January 15, 2011

Dsweet wrote: »

OK, what is a _su cookie and where is there information about this?
Or, do I need to be sending it over https?
Or more generally, how important is it to use https over http when using the smugmug api?

Thanks,

David

The su_ cookie is recent addition to assist in the prevention of sidejacking attacks. It is returned from smugmug.login.withPassword or smugmug.login.withHash requests.

After logging in, if you want subsequent calls over https this cookie needs to be present....otherwise the request will be treated as an anonymous request.

Using 1.2 api - Do I have to have site password to get information?

Comments