-
Suggestion
-
Resolution: Obsolete
NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.
Cookie-based authentication is deprecated
Jira Cloud has deprecated cookie-based authentication in favor of basic authentication with API tokens or OAuth. We strongly recommend you use either of these authentication methods in place of cookie-based authentication.
The example JIRA REST API Example Cookie based Authentication page is incomplete, or at least the information in there is not sufficient for Cloud customers:
According to above page it should be enough to get the value for JSESSIONID sending a request to jira/rest/auth/1/session and set it in the header of the successive requests in order to have it working.
However, this is not true/not enough (at least in Cloud). Also other Cookies are returned in the header of the response containing the JSESSIONID value and in order to successfully use Cookie authentication you must provide all those Cookies in the successive requests.
Example: (from: https://support.atlassian.com/browse/JST-218465 )
In the first response I got back:
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Therefore in my successive request I set the same Cookies in the header then it works. If I only set the JSESSIONID value it fails returning "401 Unauthorized":
-H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;"
Full request and response:
$ curl -D- -H "Content-Type: application/json" -d '{"username":"dbonotto", "password":"********" }' -X POST https://zaansmeisje.atlassian.net/rest/auth/1/session
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2016 10:32:55 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-AREQUESTID: 962x18637x1
X-ASEN: SEN-2330110
X-AUSERNAME: anonymous
X-ATENANT-ID: zaansmeisje.atlassian.net
X-Seraph-LoginReason: OUT
X-Seraph-LoginReason: OK
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure
Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=315360000;includeSubDomains
{"session":{"name":"JSESSIONID","value":"39EB1259A8CA92F7E62B8F4348AE9884"},"loginInfo":{"loginCount":5,"previousLoginTime":"2016-09-06T15:55:51.499+0530"}}
$ curl -D- -H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;" -d '{"jql": "project = bussines","startAt": 0,"maxResults": 10}' -X POST https://zaansmeisje.atlassian.net/rest/api/2/search
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 06 Sep 2016 10:35:14 GMT
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-AREQUESTID: 965x18647x1
X-ASEN: SEN-2330110
X-Seraph-LoginReason: OK
X-ASESSIONID: bzwumf
X-AUSERNAME: dbonotto
X-ATENANT-ID: zaansmeisje.atlassian.net
Cache-Control: no-cache, no-store, no-transform
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=6B31FCC71AECA3C950CFFABFD4E33FA1; Path=/; Secure; HttpOnly
Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|8c4a4e66ff4d6c06489e6c506d636b95119b5237|lin; Path=/; Secure
Strict-Transport-Security: max-age=315360000;includeSubDomains
{"expand":"schema,names","startAt":0,"maxResults":10,"total":4,"issues":[{"expand":"operations,versionedRepresentations,editmeta,changelog,renderedFields","id":"11304","self":"https://zaansmeisje.atlassian.net/rest/api/2/issue/11304","key":"BUS-4","fields":{"issuetype":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/issuetype/10200","id":"10200","description":"A task that needs to be done.","iconUrl":"https://zaansmeisje.atlassian.net/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype","name":"Task","subtask":false,"avatarId":10318},"timespent":null,"project":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/project/10900","id":"10900","key":"BUS","name":"bussines","avatarUrls":{"48x48":"https://zaansmeisje.atlassian.net/secure/projectavatar?avatarId=10324","24x24":"https://zaansmeisje.atlassian.net/secure/projectavatar?":........
Workaround
When calling the session endpoint just store all the cookie information in a file and use that to authenticate. E.g.:
- Store the cookie in a cookie jar:
curl -c cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session OR curl --cookie-jar cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session
- Use that to authenticate the successive REST calls:
curl -b cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........ OR curl --cookie cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........
- is related to
-
- Closed
-
- Gathering Interest