Details
-
Bug
-
Resolution: Fixed
-
Medium
-
6.2.4, 6.3.7
-
6.02
-
Description
REST Sessions are not being terminated as they should.
Steps to reproduce
Create a session:
curl -c cookie_jar -H "Content-Type: application/json" -d '{"username" : "robot", "password" : "sphere"}' http://jira.mycompany.com/rest/auth/latest/session
Check that the session was created on User Sessions (_Administration > System > User Sessions)
Delete de session:
curl -b cookie_jar -c cookie_jar -X DELETE http://jira.mycompany.com/rest/auth/latest/session
atlassian-jira-security.log gets:
http-bio-8080-exec-23 robot 831x3311x1 122gu4p 0:0:0:0:0:0:0:1 /rest/auth/latest/session HttpSession [122gu4p] destroyed for 'robot' http-bio-8080-exec-23 robot 831x3311x1 122gu4p 0:0:0:0:0:0:0:1 /rest/auth/latest/session The user 'robot' has logged out.
The session will be terminated, but not destroyed as described in the REST Endpoint:
Logs the current user out of JIRA, destroying the existing session, if any.
The session will be present until it reaches JIRA's session timeout (which by default is 5 hours.).
It can also be confirmed by checking on Tomcat's Manager:
The first row on the screenshot should not be there.