Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4
-
Severity 2 - Major
-
3
-
Description
Summary
Accessing the /rest/auth/1/session in some cases returns 3, rather then the expected 2 cookies. Additionally, the extra cookie has a blank value but no expiration date.
E.g.
studio.crowd.tokenkey=""; Domain=.foo.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly studio.crowd.tokenkey=REDACTED; Domain=.foo.atlassian.net; Path=/; Secure; HttpOnly studio.crowd.tokenkey=;Version=1;Secure; HttpOnly
Environment
1000.784.2
Steps to Reproduce
- Call the session endpoint with curl using the
Doption to print the header. E.g.
{{curlD-H "Content-Type: application/json" -c cookie.txt -d ' {"username":"USERNAME", "password":"PASSWORD" }' -X POST https://INSTANCE_URL/rest/auth/1/session}}
Expected Results
2 cookies are returned
Actual Results
3 cookies are returned, and the last one has a blank value and no expiration date:
studio.crowd.tokenkey=""; Domain=.foo.atlassian.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly studio.crowd.tokenkey=REDACTED; Domain=.foo.atlassian.net; Path=/; Secure; HttpOnly studio.crowd.tokenkey=;Version=1;Secure; HttpOnly
Notes
This issue only happens to instances that are using the old authentication system
Workaround
The current workaround is to ignore the blank cookie (it should not be returned at all).
Attachments
Issue Links
- details
-
SONIC-491 Loading...
- is related to
-
- mentioned in
-
- relates to
-