Why does Jira create a new session for each REST API request?

Jens Bannmann
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
November 14, 2024

Introduction and context

I have written an application that I and a few colleagues use to regularly fetch our respective work logs from Jira Server and automatically create/update corresponding events in our calendars. Effectively, it's like synchronizing one calendar to the other, only that the source is Jira worklogs instead of a traditional calendar.

As with any such synchronization, you want to minimize latency during the work day, so this application needs to fetch data every few minutes. That's why I made an effort to make the query as efficient as possible by using /worklog/updated and /worklog/list endpoints.

 

Problem description

Despite the optimizations mentioned above, the application causes problems for the Jira administrators at my company. While the number of daily requests and their duration / size is fine, it turned out that Jira performs a login for each and every REST request!

Specifically, this causes two different problems for the admins:

  1. Each request creates a new session. While that in itself is harmless because the session just times out after a few minutes, when that timeout happens, it is recorded in the main Jira log. And with several thousand requests per day and therefore several thousands of session timeouts, this causes an awful lot of spam that (I imagine) makes it more cumbersome to sift through, filter or process these logs for other purposes.
  2. Jira's login count value for each account who uses my application is ridiculously high; my own is at 18 million now! As high login counts are usually an indication of either broken/misconfigured "keep me logged in" or attempts at brute forcing, this inflated login count is misleading at best and causing alarms to go off at worst.

This seems to be the case for every REST request that uses bearer authentication using Personal Access Tokens (PATs). The Jira version in use currently is 9.4.27.

I was asked to somehow change this, but I couldn't find a solution!

 

Workarounds tried

  • Using the JSESSIONID cookie from the response doesn't help as that session doesn't seem authenticated. Requests only work with a PAT, but then Jira always sends a new JSESSIONID cookie.
  • I also tried using the /session endpoint to get a reusable session. However, that endpoint needs the user password & doesn't let me use PATs.

 

Questions & Notes

Has anyone noticed this behavior as well? What am I doing wrong? Is this a bug or known issue in Jira, or some kind of misconfiguration on the server side?

I suspect that this would not happen if I used OAuth instead of PATs. However, I would really like to stick with PATs. They make setup way easier, and after all, they are one of the approaches officially recommended by Atlassian.

1 answer

0 votes
Utkarsh Agarwal
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
December 9, 2024

Hi @Jens Bannmann 

Welcome to the community!

You're correct that PATs are recommended and simplify setup. However, the creation of new sessions for each REST API request is expected behavior due to how PATs authenticate. While OAuth avoids this issue by reusing sessions, if you wish to stick with PATs, consider:

  1. Optimizing Request Strategy: Reduce the number of requests or combine them where possible.
  2. Session Management: Evaluate if session expiration impacts your use case.

Kind Regards

Utkarsh

Suggest an answer

Log in or Sign up to answer