Let's make it short: I created a Connect REST rule with both a GET and a POST method.
The GET method is to be used first to retrieve a x-csrf-token. And then this token (which is valid for 24 hours) has to be used as a header parameter of the POST method calls.
Without the Maintain Session option, it's not working as the x-csrf-toekn is session-sensitive. So when calling the POST method after the GET method, these two calls are not made in the same session and the token is not considered valid.
It's working with the Maintain Session option but... I'm worndering what's the exact scope of this option.
Does it mean all the calls this Connect REST rule are going to be made in the same session (shared by all the users/requestors logged on the appplication)?
The scope is constrained to the thread running the pyInvokeRestConnector activity. In pre 7.2.x, you can debug this by reviewing the Java code behind this activity and from there you can follow the implementation of "Maintain Session". Post 7.2.x, this is internalized but the scope details have not changed.