On Thu, Apr 13, 2017 at 8:40 AM, Kai Sommer <sommer@leibniz-gei.de> wrote:

Making the 2nd request I have to send "lgname", "lgpassword" and "lgtoken" in the body and the cookie in the header. − But then I get the API warning:
"Fetching a token via action=login is deprecated. Use action=query&meta=tokens&type=login instead."
The response includes the result ("NeedToken") and "token", "cookieprefix", "sessionid".

If I use the body-parameters as URL-parameters I get the API warning:
"The following parameters were found in the query string, but must be in the POST body: lgpassword, lgtoken".

That means you lost the session. The API thinks you are using the old method of doing to action=login POSTs (the first to fetch a token).

You should probably use some cookie handling library. Set-Cookie and Cookie have different syntax, and in general cookie handling is tricky to get right.