Introduction and context
I have written an application that I and a few colleagues use to regularly fetch our respective work logs from Jira Server and automatically create/update corresponding events in our calendars. Effectively, it's like synchronizing one calendar to the other, only that the source is Jira worklogs instead of a traditional calendar.
As with any such synchronization, you want to minimize latency during the work day, so this application needs to fetch data every few minutes. That's why I made an effort to make the query as efficient as possible by using /worklog/updated and /worklog/list endpoints.
Problem description
Despite the optimizations mentioned above, the application causes problems for the Jira administrators at my company. While the number of daily requests and their duration / size is fine, it turned out that Jira performs a login for each and every REST request!
Specifically, this causes two different problems for the admins:
- Each request creates a new session. While that in itself is harmless because the session just times out after a few minutes, when that timeout happens, it is recorded in the main Jira log. And with several thousand requests per day and therefore several thousands of session timeouts, this causes an awful lot of spam that (I imagine) makes it more cumbersome to sift through, filter or process these logs for other purposes.
- Jira's login count value for each account who uses my application is ridiculously high; my own is at 18 million now! As high login counts are usually an indication of either broken/misconfigured "keep me logged in" or attempts at brute forcing, this inflated login count is misleading at best and causing alarms to go off at worst.
This seems to be the case for every REST request that uses bearer authentication using Personal Access Tokens (PATs). The Jira version in use currently is 9.4.27.
I was asked to somehow change this, but I couldn't find a solution!
Workarounds tried
- Using the JSESSIONID cookie from the response doesn't help as that session doesn't seem authenticated. Requests only work with a PAT, but then Jira always sends a new JSESSIONID cookie.
- I also tried using the /session endpoint to get a reusable session. However, that endpoint needs the user password & doesn't let me use PATs.
Questions & Notes
Has anyone noticed this behavior as well? What am I doing wrong? Is this a bug or known issue in Jira, or some kind of misconfiguration on the server side?
I suspect that this would not happen if I used OAuth instead of PATs. However, I would really like to stick with PATs. They make setup way easier, and after all, they are one of the approaches officially recommended by Atlassian.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.