Description of problem: currently, the jsessionid cookie is set when using HTTP authentication no matter if "prefer: persistent-auth" header is set. This is pointless as such cookie can not be used for subsequent requests instead of credentials. Version-Release number of selected component (if applicable): si24.1 / 3.1.0-28 How reproducible: always Steps to Reproduce: 1. issue a request using HTTP authentication and do not set "prefer: persistent-auth": curl ... -D - -u user@domain:pwd 2. 3. Actual results: JSESSIONID cookie is set Expected results: no cookie is set Additional info:
http://gerrit.ovirt.org/10104
Verified in sf5
The cookie is also set when authentication fails. If you believe it is separate bug, report it. $ curl --cacert .certs/rhevm32.pem -D - -u INVALID_name@domain:password -H "filter: true" -H "Content-type: application/xml" -H "prefer: persistent-auth" https://exammple.com/api/vms -X GET HTTP/1.1 401 Unauthorized Date: Sat, 16 Mar 2013 13:54:39 GMT Pragma: No-cache Cache-Control: no-cache Expires: Thu, 01 Jan 1970 01:00:00 CET Set-Cookie: JSESSIONID=dIX0GaHHPBBYm6X9Uxm7ajee; Path=/api; Secure HERE ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ WWW-Authenticate: Basic realm="ENGINE" Content-Type: text/html;charset=utf-8 Content-Length: 978 Connection: close <html><head><title>JBoss Web/7.0.17..Final-redhat-1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.0.17..Final-redhat-1</h3></body></html>
(In reply to comment #7) > The cookie is also set when authentication fails. If you believe it is > separate bug, report it. > > David, This is a different issue indeed, please verify this BZ against the Description.
I actually specified it in summary (... only if user logs in and ...) but here you go: bug 927140
3.2 has been released