Details
-
Suggestion
-
Resolution: Obsolete
Description
NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.
Cookie-based authentication is deprecated
Jira Cloud has deprecated cookie-based authentication in favor of basic authentication with API tokens or OAuth. We strongly recommend you use either of these authentication methods in place of cookie-based authentication.
The example JIRA REST API Example Cookie based Authentication page is incomplete, or at least the information in there is not sufficient for Cloud customers:
According to above page it should be enough to get the value for JSESSIONID sending a request to jira/rest/auth/1/session and set it in the header of the successive requests in order to have it working.
However, this is not true/not enough (at least in Cloud). Also other Cookies are returned in the header of the response containing the JSESSIONID value and in order to successfully use Cookie authentication you must provide all those Cookies in the successive requests.
Example: (from: https://support.atlassian.com/browse/JST-218465 )
In the first response I got back:
Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly
Therefore in my successive request I set the same Cookies in the header then it works. If I only set the JSESSIONID value it fails returning "401 Unauthorized":
-H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;"
Full request and response:
$ curl -D- -H "Content-Type: application/json" -d '{"username":"dbonotto", "password":"********" }' -X POST https://zaansmeisje.atlassian.net/rest/auth/1/session HTTP/1.1 200 OK Server: nginx Date: Tue, 06 Sep 2016 10:32:55 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-AREQUESTID: 962x18637x1 X-ASEN: SEN-2330110 X-AUSERNAME: anonymous X-ATENANT-ID: zaansmeisje.atlassian.net X-Seraph-LoginReason: OUT X-Seraph-LoginReason: OK Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; Path=/; Secure Set-Cookie: JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=""; Domain=.zaansmeisje.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly Strict-Transport-Security: max-age=315360000;includeSubDomains {"session":{"name":"JSESSIONID","value":"39EB1259A8CA92F7E62B8F4348AE9884"},"loginInfo":{"loginCount":5,"previousLoginTime":"2016-09-06T15:55:51.499+0530"}}
$ curl -D- -H "Content-Type: application/json" -H "Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|d1f29197aefac82758df8ba7af6718590a4af86e|lout; JSESSIONID=39EB1259A8CA92F7E62B8F4348AE9884; studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00;" -d '{"jql": "project = bussines","startAt": 0,"maxResults": 10}' -X POST https://zaansmeisje.atlassian.net/rest/api/2/search HTTP/1.1 200 OK Server: nginx Date: Tue, 06 Sep 2016 10:35:14 GMT Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding X-AREQUESTID: 965x18647x1 X-ASEN: SEN-2330110 X-Seraph-LoginReason: OK X-ASESSIONID: bzwumf X-AUSERNAME: dbonotto X-ATENANT-ID: zaansmeisje.atlassian.net Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff Set-Cookie: JSESSIONID=6B31FCC71AECA3C950CFFABFD4E33FA1; Path=/; Secure; HttpOnly Set-Cookie: studio.crowd.tokenkey=k4G0k02877DJJRTeBG6EUQ00; Domain=.zaansmeisje.atlassian.net; Path=/; Secure; HttpOnly Set-Cookie: atlassian.xsrf.token=BBFK-DW9I-1O0T-XAI2|8c4a4e66ff4d6c06489e6c506d636b95119b5237|lin; Path=/; Secure Strict-Transport-Security: max-age=315360000;includeSubDomains {"expand":"schema,names","startAt":0,"maxResults":10,"total":4,"issues":[{"expand":"operations,versionedRepresentations,editmeta,changelog,renderedFields","id":"11304","self":"https://zaansmeisje.atlassian.net/rest/api/2/issue/11304","key":"BUS-4","fields":{"issuetype":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/issuetype/10200","id":"10200","description":"A task that needs to be done.","iconUrl":"https://zaansmeisje.atlassian.net/secure/viewavatar?size=xsmall&avatarId=10318&avatarType=issuetype","name":"Task","subtask":false,"avatarId":10318},"timespent":null,"project":{"self":"https://zaansmeisje.atlassian.net/rest/api/2/project/10900","id":"10900","key":"BUS","name":"bussines","avatarUrls":{"48x48":"https://zaansmeisje.atlassian.net/secure/projectavatar?avatarId=10324","24x24":"https://zaansmeisje.atlassian.net/secure/projectavatar?":........
Workaround
When calling the session endpoint just store all the cookie information in a file and use that to authenticate. E.g.:
- Store the cookie in a cookie jar:
curl -c cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session OR curl --cookie-jar cookie.txt -H "Content-Type: application/json" -d '{"username":"XXXXXXXXX", "password":"XXXXXXXXX" }' -X POST https://INSTANCE/rest/auth/1/session
- Use that to authenticate the successive REST calls:
curl -b cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........ OR curl --cookie cookie.txt --header "X-Atlassian-Token: no-check" -H "Content-Type: application/json" -X GET https://INSTANCE/rest/........
Attachments
Issue Links
- is related to
-
JRACLOUD-63933 API Documentation for Cookie Based authentication needs update
- Closed
-
JRASERVER-62515 The documentation for REST API Cookie authentication is incomplete (for Cloud)
- Gathering Interest