Login process overview

SSL Certificate

Algo has a point about the self signed SSL certificates not being secure.

For personal/individual bot, the security they offer is ok.

One way to make these type of SSL certifcates more secure is if Betfair.com had an SSL certificate that could be added to the SSL creation chain.

The point is not bot login is insecure, it is. The point is bot login adds lots of complexity. If uploading a PEM causes email being sent, then security is improved but at a price of much complex procedure. The interactive login is hell of simple.

I prefer think of the interactive login as "Simple Login" and the bot login as "Jedi Login". The first one takes 5 minutes to implement, the second may take an hour.

The getting certificate from Betfair will make the "Jedi" login even more complex and hatred. Have you ever tried to get certificate from Apple Inc?

Agree with AlgoTrader here. Bot login is a faff. I'd argue that there is more scope for security breeches with an interactive login anyway (you are now open to key logging attacks as well).

To me, either way feels a distinctly disjointed and separate affair from using the rest of the API.

What is the reasoning for making us hunt in cookies rather than providing a specific login request/response pair as per the rest of the api? Is the cookie method somehow more secure? (Genuine question).

I would have thought the preferred login method would depend on whether or not your Betfair account has 2 step authentication enabled.

With API6 you can't have 2 step authentication enabled or you won't be able to login. With the new interactive login it must be possible to enter the authentication code as the process is based on the standard Betfair login pages (I haven't tried this though).

The new non-interactive login appears to use openSSL and certificates as an alternative to the authentication code - the help pages say :

"Automated software (or bots) accessing the legacy Application Programming Interface, known as API6, will not continue to operate if Two-Step Authentication is turned on. This is because the automated software does not have the ability to submit the one time verification code provided by Google Authenticator.
The next generation Application Programming Interface, known as API-NG, is available and provides an alternative strong authentication mechanism"

So it seems the choice of login method really depends on whether the user is available to enter the authentication code. If you choose not to enable 2 step authentication then there's not much point worrying about your app's security since anyone getting hold of your username and password can simply login via the Betfair website.

Easy Example

Hi,

I don't suppose anyone has a very simple c# example of how to login. I understood the API6 approach, i just passed my details in a request and the response included token. However, I'm very new to this JSON-RPC effort ("very" meaning completely) and although I can see and understand the Visualiser I haven't got a clue how to go about formatting my requests etc.

Any help would be great.

Tony.

Here's a working non-interactive login code in C#:

public bool loginBot() {
bool loginSucceeded = false;

try {
const string postData = "username=yourbetfairusername&password=yourbetfair password";
X509Certificate2 x509certificate = new X509Certificate2("client-2048.p12", "yourp12password");
HttpWebRequest request = (HttpWebRequest) WebRequest.Create("https://identitysso-api.betfair.com/api/certlogin");
request.UseDefaultCredentials = true;
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.Headers.Add("X-Application", "yourdeveloperappkey");
request.ClientCertificates.Add(x509certificate);
request.Accept = "*/*";
request.Proxy = null;
using (Stream stream = request.GetRequestStream()) {
using (StreamWriter writer = new StreamWriter(stream, Encoding.Default)) {
writer.Write(postData);
}
}
using (Stream stream = ((HttpWebResponse) request.GetResponse()).GetResponseStream()) {
using (StreamReader reader = new StreamReader(stream, Encoding.Default)) {
var jsonResponse = Newtonsoft.Json.JsonConvert.DeserializeObject<Logi nResponse>(reader.ReadToEnd());
if (jsonResponse.loginStatus == "SUCCESS") {
saveSession(jsonResponse.sessionToken);
loginSucceeded = true;
} else {
System.Media.SystemSounds.Exclamation.Play();
MessageBox.Show(String.Format("Betfair says:{0}{1}", Environment.NewLine, jsonResponse.loginStatus), "Login ERROR");
}
}
}
} catch (Exception ex) {
System.Media.SystemSounds.Exclamation.Play();
MessageBox.Show(ex.ToString(), "Login ERROR");
}

return loginSucceeded;
}

And the corresponding LoginResponse class:


public class LoginResponse {
[JsonProperty(PropertyName = "sessionToken")]
public string sessionToken { get; set; }

[JsonProperty(PropertyName = "loginStatus")]
public string loginStatus { get; set; }
}

I dont suppose you have a interactive version also (where I can just pass my U/Name and P/W as retrieve a token).

I'm trying to keep it simple at the moment.

Thanks

Interactive login using Perl

Hi

Does anyone have an example of interactive login using Perl please

Many thanks

How do I get "yourdeveloperappkey" please.
I've coded many bots in c# over the years but getting started with this JSON-RPC on here is not very user friendly.

https://api-ng.betstores.com/account/

I went to the visualiser (I had to use chrome) logged in. Then went to the createDeveloperAppKeys on the left. Gave my app a name and clicked execute. The details where on he right hand side.

Tony.

You can call the createDeveloperAppKeys operation (https://api.developer.betfair.com/se...veloperAppKeys) or more easily create it Accounts API visualizer at https://api-ng.betstores.com/account/

OK Thanks for speedy replies.

It throws an error saying that a session token is required ??

Make sure you have logged in first. As sucessfull visualiser login has always given me a session token. Hence why i'm trying to replacate this with C#.