Hi,
Hoping someone can help with issues I'm having with implementing cookie based authentication for an Outlook based JIRA plugin.
I have followed the API documentation for requesting a session on rest/auth/1/session and adding the JSESSIONID to the headers on future requests.
Here is an example of the session response headers:
Date: Mon, 22 Aug 2016 08:32:01 GMT
Server: Apache-Coyote/1.1
X-Arequestid: 572x13161x1
X-Asen: SEN-2027541
X-Seraph-Loginreason: OUT; OK; OK
X-Asessionid: tf83eh
X-Ausername: myuser
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Set-Cookie: JSESSIONID=854B63DCr3212A5redFC0fgj6CA419E23454552; Path=/; Secure; HttpOnly;
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly;
crowd.token_key=PTNwsdsfKgwspbmeufUOjbgK4Qwsh9v0; Domain=mydomain.local; Path=/; HttpOnly;
atlassian.xsrf.token=GUID-OFSO-MESO-RT00|233476b9543e6456exzv554074663077326d4b6415cdf880b|lin; Path=/; Secure;
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
Transfer-Encoding: chunked
When I add just JSESSIONID, I get authenticated (200: OK) responses but no JIRA data, for example from rest/api/2/issue/createmeta I get the below empty response:
I can see in the response headers, the session has flipped to the anonymous user: X-Ausername: anonymous .
In our shop we have JIRA integrated with crowd for SSO, which I believe is coming into play here, and from reading around the internet there is mention of setting the other cookies.
So from the initial session response, the Set-Cookie header has the below cookies:
with which I have tried (unsucessfully)
If it's any help, these are the headers I get when explictly setting the Cookie exactly as per Set-Cookie:
Date: Mon, 22 Aug 2016 08:54:42 GMT
Server: Apache-Coyote/1.1
X-Arequestid: 594x14083x1
X-Asessionid: 1elomil
X-Asen: SEN-2027541
X-Ausername: anonymous
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Set-Cookie: atlassian.xsrf.token=fhjf-9328-gjhs-jhsf|2341212b5sdgv5c6dgsds06468094c|lout; Path=/; Secure
Transfer-Encoding: chunked
The only thing that I have been able to do to get this working, is to copy the three cookies directly out of my chrome debug window into a format thus: "JESSSIONID=<guid>; atlassian.xsrf.token=<guid>; crowd.token_key= <guid>". This doesn't work when I do the same thing with the returned cookies from the session request though.
I have been testing this both with the application itself which is C# using the base .Net httpClient class, but I am also using the chrome plugin ARC, which allows me to carve the REST requests out by hand and see all headers and responses.
So I guess my questions are:
Many thanks in advance
Community moderators have prevented the ability to post new answers.
Hi guys,
I've the same problem. Is there a solution for this?
Cheers,
Rui Rodrigues
I believe not. Try loging into JIRA from your browser and then from a private session (or different browser). You will see that both logins have the same JSESSIONID
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is part of my question, if you have an app using the post /login on behalf of the user, then the user wants to browse JIRA in their browser simultaneously, I think constant re-auth/cookie kung fu is going to come into play.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That actually works, but I don't think it is the best approach.
Still it isn't a good solution for me. I have a JIRA installation with 2-factor authentication, so if I cannot use the Cookie-Based Auth, I cannot do anything.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As a hack I am considering just doing a request to the real web login URL (e.g. "POST /login") since it does set the same set of cookies.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am experiencing the same issue. Even thought I pass the correct Cookie, it sees me as anonymous and doesn't allow me to retrieve any data.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
No, nothing yet unfortunately, have sidelined for the moment. Also tried scraping the cookies from Chrome, but the crowd.token_key is in memory so couldn't get to it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
I am having the same issue, any progress made on this ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Peter,
I'm only sending the cookie and content-type headers:
content-type: application/json
cookie: JSESSIONID=CD3BAB878B06bc7Ey63687683sdD7; Path=/; Secure; HttpOnly;
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly;
crowd.token_key=9nve09bY7696xt8hf90; Domain=mydomain.local; Path=/; HttpOnly;
atlassian.xsrf.token=ghjk-qwer-8976-vzzc|4dc06523275d1375b07232125f93c2478n26c|lin; Path=/; Secure;
crowd.token_key=""; Domain=mydomain.local; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; HttpOnly
I've also tried sending with X-Atlassian-Token: no-check but haven't noticed any difference on the responses
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Can you also post the headers which are sent with the request where you pass the cookies?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.