Bug 876641

Summary: set jsessionid cookie only if user logs in using credentials AND "prefer: persistent-auth" header is set
Product: Red Hat Enterprise Virtualization Manager Reporter: David Jaša <djasa>
Component: ovirt-engine-restapiAssignee: Michael Pasternak <mpastern>
Status: CLOSED CURRENTRELEASE QA Contact: Elena <edolinin>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.1.0CC: bazulay, dyasny, ecohen, iheim, mpastern, Rhev-m-bugs, sgrinber, srevivo, ykaul
Target Milestone: ---   
Target Release: 3.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: infra
Fixed In Version: SF3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 915537    

Description David Jaša 2012-11-14 16:24:23 UTC 
Description of problem:
currently, the jsessionid cookie is set when using HTTP authentication no matter if "prefer: persistent-auth" header is set. This is pointless as such cookie can not be used for subsequent requests instead of credentials.

Version-Release number of selected component (if applicable):
si24.1 / 3.1.0-28

How reproducible:
always

Steps to Reproduce:
1. issue a request using HTTP authentication and do not set "prefer: persistent-auth":
curl ... -D - -u user@domain:pwd 
2.
3.
  
Actual results:
JSESSIONID cookie is set

Expected results:
no cookie is set

Additional info:
Comment 5 Michael Pasternak 2012-12-16 10:52:35 UTC 
http://gerrit.ovirt.org/10104
Comment 6 Elena 2013-02-06 10:12:11 UTC 
Verified in sf5
Comment 7 David Jaša 2013-03-16 14:00:36 UTC 
The cookie is also set when authentication fails. If you believe it is separate bug, report it.


$ curl --cacert .certs/rhevm32.pem -D - -u INVALID_name@domain:password  -H "filter: true" -H "Content-type: application/xml" -H "prefer: persistent-auth" https://exammple.com/api/vms -X GET
HTTP/1.1 401 Unauthorized
Date: Sat, 16 Mar 2013 13:54:39 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Set-Cookie: JSESSIONID=dIX0GaHHPBBYm6X9Uxm7ajee; Path=/api; Secure

     HERE   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WWW-Authenticate: Basic realm="ENGINE"
Content-Type: text/html;charset=utf-8
Content-Length: 978
Connection: close

<html><head><title>JBoss Web/7.0.17..Final-redhat-1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.0.17..Final-redhat-1</h3></body></html>
Comment 8 Michael Pasternak 2013-03-24 08:48:20 UTC 
(In reply to comment #7)
> The cookie is also set when authentication fails. If you believe it is
> separate bug, report it.
> 
> 

David,

This is a different issue indeed, please verify this BZ against the Description.
Comment 9 David Jaša 2013-03-25 07:55:57 UTC 
I actually specified it in summary (... only if user logs in and ...) but here you go: bug 927140
Comment 10 Itamar Heim 2013-06-11 09:10:51 UTC 
3.2 has been released
Comment 11 Itamar Heim 2013-06-11 09:11:01 UTC 
3.2 has been released
Comment 12 Itamar Heim 2013-06-11 09:38:22 UTC 
3.2 has been released