Using 1.2 api - Do I have to have site password to get information?

DsweetDsweet Big grinsPosts: 81Registered Users Big grins
I wrote code to
call smugmug.login.anonymously and get a session id.
Then call smugmug.images.get which calls for:
SessionID - string.
AlbumID - integer.
Heavy - boolean (optional).
Password - string (optional).
SitePassword - string (optional).
AlbumKey - string.
I supply the SessionID, AlbumID,Password and AlbumKey.
The password is needed because the album is password protected.
I get an error:
"<?xml version=\"1.0\" encoding=\"utf-8\"?><rsp stat=\"fail\"><err code=\"4\" msg=\"invalid user (missing/incorrect site password)\" /></rsp>"
I didn't supply a site password! Why is one needed? The documentation states that it is optional! When one accesses the album through the smugmug website a site password isn't needed. Why is one needed here?
When I add the site password the call is successful, but I shouldn't have to supply it. I don't want to give the password away when I don't have to.
Can someone help me here?

Comments

  • devbobodevbobo LR whisperer Posts: 4,999Administrators Major grins
    edited March 26, 2010
    If you log in with the authenicated session as the owner of a site, you never have to supply passwords for access. But if you login with smugmug.login.anonymously, passwords are required to access info related to your site.

    Does that make sense ?

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • DsweetDsweet Big grins Posts: 81Registered Users Big grins
    edited January 6, 2011
    devbobo wrote: »
    If you log in with the authenicated session as the owner of a site, you never have to supply passwords for access. But if you login with smugmug.login.anonymously, passwords are required to access info related to your site.

    Does that make sense ?

    Cheers,

    David

    This use to work, but now it doesn't seem too:
    I use the api to log in as the owner. That works and I get the sessionid.
    I then pass the sessionid to:
    https://api.smugmug.com/services/api/rest/1.2.2/?method=smugmug.albums.get&SessionID=xxx&NickName=dsweet&Heavy=1";

    An error is returned:
    "SmugMug Error calling smugmug.albums.get: invalid user (missing SitePassword parameter)"

    Yes, there is a site password, but why do I need to supply it if I logged in as owner?
  • devbobodevbobo LR whisperer Posts: 4,999Administrators Major grins
    edited January 6, 2011
    since you are making the call over https, is your app sending the _su cookie ? If it isn't the session will be treated as anonymous.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • DsweetDsweet Big grins Posts: 81Registered Users Big grins
    edited January 7, 2011
    devbobo wrote: »
    since you are making the call over https, is your app sending the _su cookie ? If it isn't the session will be treated as anonymous.

    Cheers,

    David

    OK, what is a _su cookie and where is there information about this?
    Or, do I need to be sending it over https?
    Or more generally, how important is it to use https over http when using the smugmug api?

    Thanks,

    David
  • DsweetDsweet Big grins Posts: 81Registered Users Big grins
    edited January 11, 2011
    Dsweet wrote: »
    OK, what is a _su cookie and where is there information about this?
    Or, do I need to be sending it over https?
    Or more generally, how important is it to use https over http when using the smugmug api?

    Thanks,

    David

    Any help available?
  • devbobodevbobo LR whisperer Posts: 4,999Administrators Major grins
    edited January 15, 2011
    Dsweet wrote: »
    OK, what is a _su cookie and where is there information about this?
    Or, do I need to be sending it over https?
    Or more generally, how important is it to use https over http when using the smugmug api?

    Thanks,

    David

    The su_ cookie is recent addition to assist in the prevention of sidejacking attacks. It is returned from smugmug.login.withPassword or smugmug.login.withHash requests.

    After logging in, if you want subsequent calls over https this cookie needs to be present....otherwise the request will be treated as an anonymous request.
    David Parry
    SmugMug API Developer
    My Photos
Sign In or Register to comment.