Bug 876641 - set jsessionid cookie only if user logs in using credentials AND "prefer: persistent-auth" header is set
set jsessionid cookie only if user logs in using credentials AND "prefer: per...
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-restapi (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: 3.2.0
Assigned To: Michael Pasternak
Depends On:
Blocks: 915537
  Show dependency treegraph
Reported: 2012-11-14 11:24 EST by David Jaša
Modified: 2016-02-10 14:24 EST (History)
9 users (show)

See Also:
Fixed In Version: SF3
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Jaša 2012-11-14 11:24:23 EST
Description of problem:
currently, the jsessionid cookie is set when using HTTP authentication no matter if "prefer: persistent-auth" header is set. This is pointless as such cookie can not be used for subsequent requests instead of credentials.

Version-Release number of selected component (if applicable):
si24.1 / 3.1.0-28

How reproducible:

Steps to Reproduce:
1. issue a request using HTTP authentication and do not set "prefer: persistent-auth":
curl ... -D - -u user@domain:pwd 
Actual results:
JSESSIONID cookie is set

Expected results:
no cookie is set

Additional info:
Comment 5 Michael Pasternak 2012-12-16 05:52:35 EST
Comment 6 Elena 2013-02-06 05:12:11 EST
Verified in sf5
Comment 7 David Jaša 2013-03-16 10:00:36 EDT
The cookie is also set when authentication fails. If you believe it is separate bug, report it.

$ curl --cacert .certs/rhevm32.pem -D - -u INVALID_name@domain:password  -H "filter: true" -H "Content-type: application/xml" -H "prefer: persistent-auth" https://exammple.com/api/vms -X GET
HTTP/1.1 401 Unauthorized
Date: Sat, 16 Mar 2013 13:54:39 GMT
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Set-Cookie: JSESSIONID=dIX0GaHHPBBYm6X9Uxm7ajee; Path=/api; Secure

     HERE   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WWW-Authenticate: Basic realm="ENGINE"
Content-Type: text/html;charset=utf-8
Content-Length: 978
Connection: close

<html><head><title>JBoss Web/7.0.17..Final-redhat-1 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>JBoss Web/7.0.17..Final-redhat-1</h3></body></html>
Comment 8 Michael Pasternak 2013-03-24 04:48:20 EDT
(In reply to comment #7)
> The cookie is also set when authentication fails. If you believe it is
> separate bug, report it.


This is a different issue indeed, please verify this BZ against the Description.
Comment 9 David Jaša 2013-03-25 03:55:57 EDT
I actually specified it in summary (... only if user logs in and ...) but here you go: bug 927140
Comment 10 Itamar Heim 2013-06-11 05:10:51 EDT
3.2 has been released
Comment 11 Itamar Heim 2013-06-11 05:11:01 EDT
3.2 has been released
Comment 12 Itamar Heim 2013-06-11 05:38:22 EDT
3.2 has been released

Note You need to log in before you can comment on or make changes to this bug.