In 3.5.0 there is double login into application: 1. backend 2. restapi This result in double delay when login, we already had many bugs opened because of login performance when user is using ldap and many groups. We tried to improve this greatly in 3.5, however because of the double login it won't be visible or even worse. Options to solve this in 3.5 should be applied: 1. use ovirt-engine/webadmin/api to redirect into api. 2. add query to return the engine session id, and add a internal private header to restapi to accept context. 3. retrieve session if using ssl. Anything to avoid double login, even temporary solutions that are to be removed in 3.6.
actually since 3.2.2
BTW: this also solved SSO into the application, as the unexpected assumption of reusing password would have caused application not to work within SSO environment in which password is not available to application.
... Accept-Language en-US,en;q=0.5 Authorization Basic XXXXXXXXXXXXXXXXXXXXXXXXXX Connection keep-alive Cookie JSESSIONID=P6sJvYVOoQk95pn0l84OwVBI; locale=en_US DNT 1 Host 10.34.63.31 JSESSIONID P6sJvYVOoQk95pn0l84OwVBI Prefer persistent-auth, csrf-protection ... is there a reason to still send "Authorization" header?
(In reply to Ondra Machacek from comment #3) > is there a reason to still send "Authorization" header? no. are you sure you invalidated all credentials from your browser instance?
aha, after I invalidated it. no "Authorization" header appears.
(In reply to Ondra Machacek from comment #3) > ... > Accept-Language en-US,en;q=0.5 > Authorization Basic XXXXXXXXXXXXXXXXXXXXXXXXXX > Connection keep-alive > Cookie JSESSIONID=P6sJvYVOoQk95pn0l84OwVBI; locale=en_US > DNT 1 > Host 10.34.63.31 > JSESSIONID P6sJvYVOoQk95pn0l84OwVBI > Prefer persistent-auth, csrf-protection > ... > > is there a reason to still send "Authorization" header? Sorry for late reply. The reason why "Authorization" header is still sent is probably due to default web browser behavior - once this header is set, it will aways be sent by the browser alongside request to given target origin. This is also why "Authorization" header is not really appropriate for doing auth stuff in modern web applications.
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.