Issue Summary

Rate limiting evaluates if the requests are coming from UI by checking some cookies and headers. Some client libraries like https://pypi.org/project/jira/2.0.0/ keeps the cookies set from the server and following requests are evaluated as UI request and rate limiting is not applied. These requests are shown in the access logs as coming from python agent.

Steps to Reproduce

1. Use the library specified or send back the cookie set two of cookie/header below

   public static final String HEADER_ORIGIN = "origin";
   public static final String HEADER_REFERER = "Referer";
   public static final String COOKIE_SESSION_ID = "JSESSIONID";
   public static final String COOKIE_CSRF_TOKEN = "atlassian.xsrf.token"

1. Perform request to rate enabled Jira server
2. Requests are evaluated as UI and not rate limited

Expected Results

Requests coming from specific agents like python are not evaluated as UI requests even if they meet the cookie/header criteria for the UI requests.

Actual Results

Requests are not limited and they can be seen as coming from python client in the access logs

192.168.20.55 272x228079x2 ****** [16/Jun/2021:04:32:05 +0200] "GET /jira/rest/api/2/field HTTP/1.0" 200 12393 161 "-" "python-requests/2.25.1" "1m3clon"
192.168.20.55 272x228080x2 ****** [16/Jun/2021:04:32:05 +0200] "GET /jira/rest/api/2/field HTTP/1.0" 200 12393 155 "-" "python-requests/2.25.1" "160ga5k"

Workaround

Only workaround is to make sure client does not send the cookie/header that will make the request evaluated as UI request.