Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21032

Rest spec missing info about is_logged_in cookie when explaining session based auth

    Details

      Description

      When using session based auth in REST v2 you need also to send the is_logged_in cookie.
      This is needed for LS integration.
      But AFAIK in at least 5.0 and 5.1 session based auth depends partly on legacy and the cookie is indeed needed

      So, in the spec, the is_logged_in cookie should be explained in the "1.2.3 Session based Authentication" chapter, maybe more precise in the "1.2.3.1 Session cookie" chapter

        Issue Links

          Activity

          Hide
          Gaetano Giunta (Inactive) added a comment -

          Just for info: most clients used for querying the rest-api, except the browser-based ones, will happily ignore any
          Set-Cookie
          header in the response, as they expect none.

          So documentation in this case is important.

          Otoh I'd like to get rid of the requirement of this cookie, if possible, for rest calls (it might be needed for proper caching though...)

          Show
          Gaetano Giunta (Inactive) added a comment - Just for info: most clients used for querying the rest-api, except the browser-based ones, will happily ignore any Set-Cookie header in the response, as they expect none. So documentation in this case is important. Otoh I'd like to get rid of the requirement of this cookie, if possible, for rest calls (it might be needed for proper caching though...)
          Hide
          Filipe Dobreira (Inactive) added a comment -

          QA Approved

          Show
          Filipe Dobreira (Inactive) added a comment - QA Approved
          Show
          Bertrand Dunogier added a comment - Merged to master https://github.com/ezsystems/ezpublish-kernel/commit/9c5e069bcbf403605aef5d54bd25610cdc06cd65 .
          Show
          Bertrand Dunogier added a comment - Pull request: https://github.com/ezsystems/ezpublish-kernel/pull/550 .
          Hide
          Bertrand Dunogier added a comment -

          I have tested the login process, and I can confirm that the is_logged_in cookie is set by REST:

          HTTP/1.1 201 Created
          Cache-Control: no-cache
          Content-Type: application/vnd.ez.api.Session+json
          Date: Tue, 08 Oct 2013 08:25:35 GMT
          Location: /api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82
          Server: Apache/2.2.22 (Ubuntu)
          Set-Cookie: eZSESSID=chu45frb7n000ag4r9hurm6d82; path=/
          Set-Cookie: is_logged_in=true; path=/
          Status: 201 Created
          Transfer-Encoding: chunked
          X-Debug-Token: 28dae4
          X-Powered-By: PHP/5.3.10-1ubuntu3.8
           
          {
              "Session": {
                  "User": {
                      "_href": "/api/ezp/v2/user/users/14",
                      "_media-type": "application/vnd.ez.api.User+json"
                  },
                  "_href": "/api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82",
                  "_media-type": "application/vnd.ez.api.Session+json",
                  "csrfToken": "e9c971bc0ceff19dc6040f3397150f288e5384bc",
                  "identifier": "chu45frb7n000ag4r9hurm6d82",
                  "name": "eZSESSID"
              }
          }

          But mentioning it in the specs still sounds valid to me.

          Show
          Bertrand Dunogier added a comment - I have tested the login process, and I can confirm that the is_logged_in cookie is set by REST : HTTP/1.1 201 Created Cache-Control: no-cache Content-Type: application/vnd.ez.api.Session+json Date: Tue, 08 Oct 2013 08:25:35 GMT Location: /api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82 Server: Apache/2.2.22 (Ubuntu) Set-Cookie: eZSESSID=chu45frb7n000ag4r9hurm6d82; path=/ Set-Cookie: is_logged_in=true; path=/ Status: 201 Created Transfer-Encoding: chunked X-Debug-Token: 28dae4 X-Powered-By: PHP/5.3.10-1ubuntu3.8   { "Session": { "User": { "_href": "/api/ezp/v2/user/users/14", "_media-type": "application/vnd.ez.api.User+json" }, "_href": "/api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82", "_media-type": "application/vnd.ez.api.Session+json", "csrfToken": "e9c971bc0ceff19dc6040f3397150f288e5384bc", "identifier": "chu45frb7n000ag4r9hurm6d82", "name": "eZSESSID" } } But mentioning it in the specs still sounds valid to me.
          Hide
          Vidar Langseid added a comment -

          hmmm.... It has been some time since I worked on this.
          If you say /user/sessions sets the cookie, then I guess there is no issue after all.
          When thinking about it, I am pretty sure that the test code is unable to catch it, if the cookie is actually set

          Show
          Vidar Langseid added a comment - hmmm.... It has been some time since I worked on this. If you say /user/sessions sets the cookie, then I guess there is no issue after all. When thinking about it, I am pretty sure that the test code is unable to catch it, if the cookie is actually set
          Hide
          Bertrand Dunogier added a comment -

          Hmmm, thinking about it, if we need this is_logged_in cookie, shouldn't it be set when sending a successful POST request to /user/sessions ?

          Show
          Bertrand Dunogier added a comment - Hmmm, thinking about it, if we need this is_logged_in cookie, shouldn't it be set when sending a successful POST request to /user/sessions ?
          Hide
          Bertrand Dunogier added a comment -

          I'll take care of it.

          Show
          Bertrand Dunogier added a comment - I'll take care of it.

            People

            • Assignee:
              Unassigned
              Reporter:
              Vidar Langseid
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h