Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-21032

Rest spec missing info about is_logged_in cookie when explaining session based auth

    Details

      Description

      When using session based auth in REST v2 you need also to send the is_logged_in cookie.
      This is needed for LS integration.
      But AFAIK in at least 5.0 and 5.1 session based auth depends partly on legacy and the cookie is indeed needed

      So, in the spec, the is_logged_in cookie should be explained in the "1.2.3 Session based Authentication" chapter, maybe more precise in the "1.2.3.1 Session cookie" chapter

        Issue Links

          Activity

          Vidar Langseid created issue -
          Vidar Langseid made changes -
          Field Original Value New Value
          Affects Version/s 5.2-dev [ 12300 ]
          Affects Version/s 5.2 [ 11281 ]
          Vidar Langseid made changes -
          Link This issue discovered while testing EZP-20322 [ EZP-20322 ]
          André Rømcke made changes -
          Status Open [ 1 ] Confirmed [ 10037 ]
          André Rømcke made changes -
          Status Confirmed [ 10037 ] InputQ [ 10001 ]
          Bertrand Dunogier made changes -
          Assignee Bertrand Dunogier [ bertrand.dunogier@ez.no ]
          Hide
          Bertrand Dunogier added a comment -

          I'll take care of it.

          Show
          Bertrand Dunogier added a comment - I'll take care of it.
          Hide
          Bertrand Dunogier added a comment -

          Hmmm, thinking about it, if we need this is_logged_in cookie, shouldn't it be set when sending a successful POST request to /user/sessions ?

          Show
          Bertrand Dunogier added a comment - Hmmm, thinking about it, if we need this is_logged_in cookie, shouldn't it be set when sending a successful POST request to /user/sessions ?
          Hide
          Vidar Langseid added a comment -

          hmmm.... It has been some time since I worked on this.
          If you say /user/sessions sets the cookie, then I guess there is no issue after all.
          When thinking about it, I am pretty sure that the test code is unable to catch it, if the cookie is actually set

          Show
          Vidar Langseid added a comment - hmmm.... It has been some time since I worked on this. If you say /user/sessions sets the cookie, then I guess there is no issue after all. When thinking about it, I am pretty sure that the test code is unable to catch it, if the cookie is actually set
          Hide
          Bertrand Dunogier added a comment -

          I have tested the login process, and I can confirm that the is_logged_in cookie is set by REST:

          HTTP/1.1 201 Created
          Cache-Control: no-cache
          Content-Type: application/vnd.ez.api.Session+json
          Date: Tue, 08 Oct 2013 08:25:35 GMT
          Location: /api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82
          Server: Apache/2.2.22 (Ubuntu)
          Set-Cookie: eZSESSID=chu45frb7n000ag4r9hurm6d82; path=/
          Set-Cookie: is_logged_in=true; path=/
          Status: 201 Created
          Transfer-Encoding: chunked
          X-Debug-Token: 28dae4
          X-Powered-By: PHP/5.3.10-1ubuntu3.8
           
          {
              "Session": {
                  "User": {
                      "_href": "/api/ezp/v2/user/users/14",
                      "_media-type": "application/vnd.ez.api.User+json"
                  },
                  "_href": "/api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82",
                  "_media-type": "application/vnd.ez.api.Session+json",
                  "csrfToken": "e9c971bc0ceff19dc6040f3397150f288e5384bc",
                  "identifier": "chu45frb7n000ag4r9hurm6d82",
                  "name": "eZSESSID"
              }
          }

          But mentioning it in the specs still sounds valid to me.

          Show
          Bertrand Dunogier added a comment - I have tested the login process, and I can confirm that the is_logged_in cookie is set by REST : HTTP/1.1 201 Created Cache-Control: no-cache Content-Type: application/vnd.ez.api.Session+json Date: Tue, 08 Oct 2013 08:25:35 GMT Location: /api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82 Server: Apache/2.2.22 (Ubuntu) Set-Cookie: eZSESSID=chu45frb7n000ag4r9hurm6d82; path=/ Set-Cookie: is_logged_in=true; path=/ Status: 201 Created Transfer-Encoding: chunked X-Debug-Token: 28dae4 X-Powered-By: PHP/5.3.10-1ubuntu3.8   { "Session": { "User": { "_href": "/api/ezp/v2/user/users/14", "_media-type": "application/vnd.ez.api.User+json" }, "_href": "/api/ezp/v2/user/sessions/chu45frb7n000ag4r9hurm6d82", "_media-type": "application/vnd.ez.api.Session+json", "csrfToken": "e9c971bc0ceff19dc6040f3397150f288e5384bc", "identifier": "chu45frb7n000ag4r9hurm6d82", "name": "eZSESSID" } } But mentioning it in the specs still sounds valid to me.
          Bertrand Dunogier logged work - 08/Oct/13 11:28 AM
          • Time Spent:
            1 hour
             
            <No comment>
          Bertrand Dunogier made changes -
          Status InputQ [ 10001 ] Development [ 3 ]
          Show
          Bertrand Dunogier added a comment - Pull request: https://github.com/ezsystems/ezpublish-kernel/pull/550 .
          Bertrand Dunogier made changes -
          Remote Link This issue links to "PR ezpublish-kernel#550 (Web Link)" [ 12733 ]
          Bertrand Dunogier made changes -
          Remaining Estimate 0 minutes [ 0 ]
          Time Spent 1 hour [ 3600 ]
          Worklog Id 40976 [ 40976 ]
          Bertrand Dunogier made changes -
          Status Development [ 3 ] Development review [ 10006 ]
          Show
          Bertrand Dunogier added a comment - Merged to master https://github.com/ezsystems/ezpublish-kernel/commit/9c5e069bcbf403605aef5d54bd25610cdc06cd65 .
          Bertrand Dunogier made changes -
          Status Development review [ 10006 ] Development Review done [ 10028 ]
          Bertrand Dunogier made changes -
          Affects Version/s 5.0 [ 10300 ]
          Bertrand Dunogier made changes -
          Fix Version/s 5.2-rc1 [ 12781 ]
          Bertrand Dunogier made changes -
          Status Development Review done [ 10028 ] Documentation done [ 10011 ]
          Filipe Dobreira (Inactive) made changes -
          Status Documentation done [ 10011 ] QA [ 10008 ]
          Assignee Bertrand Dunogier [ bertrand.dunogier@ez.no ] Filipe Dobreira [ filipe.dobreira@ez.no ]
          Hide
          Filipe Dobreira (Inactive) added a comment -

          QA Approved

          Show
          Filipe Dobreira (Inactive) added a comment - QA Approved
          Filipe Dobreira (Inactive) made changes -
          Assignee Filipe Dobreira [ filipe.dobreira@ez.no ]
          Status QA [ 10008 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Hide
          Gaetano Giunta (Inactive) added a comment -

          Just for info: most clients used for querying the rest-api, except the browser-based ones, will happily ignore any
          Set-Cookie
          header in the response, as they expect none.

          So documentation in this case is important.

          Otoh I'd like to get rid of the requirement of this cookie, if possible, for rest calls (it might be needed for proper caching though...)

          Show
          Gaetano Giunta (Inactive) added a comment - Just for info: most clients used for querying the rest-api, except the browser-based ones, will happily ignore any Set-Cookie header in the response, as they expect none. So documentation in this case is important. Otoh I'd like to get rid of the requirement of this cookie, if possible, for rest calls (it might be needed for proper caching though...)
          Joao Inacio (Inactive) made changes -
          Link This issue relates to EZP-22500 [ EZP-22500 ]
          André Rømcke made changes -
          Workflow eZ Engineering Scrumban Workflow [ 56072 ] EZ* Development Workflow [ 83918 ]
          Alex Schuster made changes -
          Workflow EZ* Development Workflow [ 83918 ] EZEE Development Workflow [ 122541 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Confirmed Confirmed
          96d 18h 40m 1 André Rømcke 16/Sep/13 10:22 AM
          Confirmed Confirmed InputQ InputQ
          3s 1 André Rømcke 16/Sep/13 10:22 AM
          InputQ InputQ Development Development
          22d 1h 5m 1 Bertrand Dunogier 08/Oct/13 11:28 AM
          Development Development Development Review Development Review
          6h 38m 1 Bertrand Dunogier 08/Oct/13 6:06 PM
          Development Review Development Review Development Review done Development Review done
          17s 1 Bertrand Dunogier 08/Oct/13 6:06 PM
          Development Review done Development Review done Documentation Review done Documentation Review done
          23s 1 Bertrand Dunogier 08/Oct/13 6:06 PM
          Documentation Review done Documentation Review done QA QA
          22h 17m 1 Filipe Dobreira (Inactive) 09/Oct/13 4:24 PM
          QA QA Closed Closed
          14m 2s 1 Filipe Dobreira (Inactive) 09/Oct/13 4:38 PM

            People

            • Assignee:
              Unassigned
              Reporter:
              Vidar Langseid
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 hour
                1h