Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Using JSESSIONID from API request

Chris Waters
Chris Waters March 17, 2017

It looks like each API request authenticated with basic auth returns a JSESSIONID cookie. However if that cookie is passed in the next API request instead of the basic auth credentials (i.e. to switch to using cookie authentication) then a 401 results.

If however I use the /auth/1/session API then the JSESSIONID cookie returned can be used successfully.

My goal is to avoid the extra round-trip to make the POST to /auth/1/session and instead use basic auth with the first API request and cookie authentication with subsequent requests (in order to meet the recommendation here https://jira.atlassian.com/browse/JRA-44654).

Does anyone know why the JSESSIONID from API requests can be used to authenticate the next request?

Answer
Watch
Like Be the first to like this
4624 views

3 answers

0 votes
Niclas Sandstroem
Niclas Sandstroem
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 17, 2017

@Chris Waters I think the following might be out of interest for you on this subject.

http://stackoverflow.com/questions/35632642/jira-rest-api-calls-fail-when-using-jsessionid-cookie-authentication-using-urlfe

Br, Niclas

Reply
0 votes
Chris Waters
Chris Waters March 17, 2017

Do you know what the purpose is of the JSESSIONID cookie that is returned with each API request?

Using cookie based authentication would be more efficient if it didn't require an extra call each time. Sometimes we need to make just one API call, so calling /auth/1/session would double the time taken. In other cases we make many requests in a row with the same identity and so cookie based authentication would apparently help. However it is not easy to know before the first call whether there will be many subsequent calls or not.

(Sorry this should have been a comment ... but I am locked out from making any more edits for 24 hours).

Reply
0 votes
Volodymyr Krupach
Volodymyr Krupach
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 17, 2017

Because it's not supposed to. Either you pass basic-auth headers with every request or you call /auth/1/session to retrieve the JSESSIONID bounded to authenticated session.

Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events