Bug 1358434

Summary: Restapi access should create sessions only if persistent_auth is requested
Product: [oVirt] ovirt-engine Reporter: Ravi Nori <rnori>
Component: AAAAssignee: Ravi Nori <rnori>
Status: CLOSED CURRENTRELEASE QA Contact: Lucie Leistnerova <lleistne>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.0.0CC: bugs, lleistne, mgoldboi, mperina, pstehlik, sbonazzo
Target Milestone: ovirt-4.0.4Keywords: ZStream
Target Release: 4.0.4Flags: rule-engine: ovirt-4.0.z+
rule-engine: planning_ack+
mperina: devel_ack+
pstehlik: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 12:34:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ravi Nori 2016-07-20 16:35:45 UTC 
Description of problem:

Accessing api without persistent-auth creates sessions on engine that are not cleaned up until session expires

Version-Release number of selected component (if applicable): 4.0


How reproducible:


Steps to Reproduce:
1. Access api using curl 
   curl -X GET -D - -u admin@internal:<passwd> -H "filter: true" -H "Accept: application/xml" -H "Content-Type: application/xml"  http://127.0.0.1:8080/ovirt-engine/api/vms
2. Returns JSESSIONID in response

Actual results:

A session is created on engine and JSESSIONID is returned

Expected results:

Session should not be created and JSESSIONID should not be returned unless -H "Prefer: persistent-auth" is specified on the command line

Additional info:

JSESSIONID should only be returned if -H "Prefer: persistent-auth"  is passed
Comment 1 Martin Perina 2016-07-21 14:23:01 UTC 
Moving back to POST as we need to backport ovirt-engine-4.0
Comment 2 Lucie Leistnerova 2016-09-13 11:53:13 UTC 
without -H "Prefer: persistent-auth" restapi doesn't return session id in both Version 3,4

verified in ovirt-engine-restapi-4.0.4.1-0.1.el7ev.noarch