1. Home
2. Session Management

Session Management

Session-less: Account application and user independent operations

Certain operations can be used without customer authentication. This affects the use case “account application” (see SetAccountApplication) as well as other operations, e. g. GetBicFromIban.

Operations related to a certain user (person / bank customer) require to use either of the following session management mechanisms. Which one is relevant to you, depends on the kind of integration of the web service consumer.

Client-side: Transmission of person number within request

This session management mechanism is meant for web service consumers, who need full control of the core banking system and implement their own user authentication (customer login, clearance of user transactions).

In order to use web service operations without any session identifier, you must add the PersonNumber element within the SOAP header (namespace http://www.efdis.de/ob-sf-api/). The backend will use this PersonNumber to aggregate all relevant contracts and accounts for the response to your request.

It is required that the person number represents a valid customer of the bank and it is not possible to use unauthorized third-party accounts, which are not legitimated under the person provided.

Transaction can be released using the ReleaseTransaction operation. This is a replacement for the TAN operations, which are used in server-side session management.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ob="http://www.efdis.de/ob-sf-api/" ...>
  <soapenv:Header>
    <ob:PersonNumber>1234</ob:PersonNumber>
  </soapenv:Header>
  <soapenv:Body>
    ...
  </soapenv:Body>
</soapenv:Envelope>

Server-side: Usage of PIN and TAN methods

This session management mechanism is meant for web service consumers, who want to use PIN and TAN mechanisms of EFDIS.ONLINE.

In order to use web service operations, it is first required to login with a valid EFDIS.ONLINE account, see GetUser operation. On success, the web service generates a session identifier and returns it within the SOAP header SessionId (namespace http://www.efdis.de/ob-sf-api/). The web service consumer can then send the SOAP header back within each subsequent request. The session identifier gets invalidated with the SetUserLogout operation or when a failure of response type FATAL occurs.

The EFDIS.ONLINE account can be activated in EFDIS.FORMS. Usually, this is done in combination with a welcome letter for the customer.

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ob="http://www.efdis.de/ob-sf-api/" ...>
  <soapenv:Header>
    <ob:SessionId>1234</ob:SessionId>
  </soapenv:Header>
  <soapenv:Body>
    ...
  </soapenv:Body>
</soapenv:Envelope>

Transactions can be released with the GetTan and UseTan operations. The TAN method must have been initialized. For example, it is required to have a phone number stored in the database for the mTAN method.