Thanks for pointing out the documentation -- it's accurate, but we should clarify our recommendations better.
As for your JavaScript, it does work for me if I make three changes:
- Change "getXmlHttpRequest()" to "new XMLHttpRequest()", since there's no getXmlHttpRequest() function defined in your code.
- Change the content type from "application/json" to "application/x-www-form-urlencoded". The sample code you modified may have been using JSON, but this action is a form post and requires the content type stated in the documentation.
- Send the parameters instead of null. You must send the user name and password.
When running the script in my browser (FireFox) from an HTML wiki page on my LabKey Server, the script invokes the login action and (if the credentials are correct) the cookie is returned and set automatically. This is an interesting experiment, but it's not extremely useful in most real-world scenarios. The script will fail if run on a server with a different domain (browsers limit XMLHttpRequest for security reasons) but if the page calling the LabKey apis resides on LabKey Server already then the server will handle login automatically. If you're ultimately going to be using PHP or some other server language, you'll need to use its HTTP request class/object to construct and send this request, save the jsessionid cookie, and resend it with every request.
Or you can just include the Basic authentication header on every request.
Adam