REST API Authentication Timeouts?

Hi all,

We just upgraded our YouTrack instance from 4.0.2 up to 4.2.1 and I'm noticing some issues with a tool I've written to interop with the REST API.

Previously I was caching my Auth cookie/credentials in a naive way ( just caching for 2 hours actually ) without checking the Expiration time on the cookie header, however this didn't actually pose any problems and my app worked fine.

Under 2.4.1 however, I see that the cookie expires pretty much instantly:

curl -v -d login=markd http://youtrack/rest/user/login
Wed 10 Apr 2013 10:22:41 NZST
< Set-Cookie: JSESSIONID=...;Path=/
< Set-Cookie: jetbrains.charisma.main.security.PRINCIPAL=....;Path=/;Expires=Wed, 09-Apr-2014 22:22:41 GMT

Essentially this means I need to auth on every request? Doesn't this make using a cookie for auth kinda pointless?

Or has the API changed?
5 comments
Comment actions Permalink
Hello Mark,

Sorry for the delay.
As far as I can see, cookie was setted correctly and expires in April, 2014. You have to auth only once for the session.

Thank you.
0
Comment actions Permalink
Strange, to be honest I didn't actually notice the 2014 there, only the date/time/timezone being the same.

However, the YouTrack server still seems to be failing authentication when passing the cookies.

I'll see if I can track down anything further.
0
Comment actions Permalink
Mark,

Could you please provide us with details then, how did you install YouTrack (.WAR, .JAR, Win service)? How did you upgrade YouTrack - remove an old version or leave both? The issue may be caused by the old version, if the port is the same.
0
Comment actions Permalink
I'll chase this up with our operations team as they manage the installation, AFAIK the old version was removed and we only have the one instance running.
0
Comment actions Permalink
I think I've solved the issue.  http://confluence.jetbrains.com/display/YTD3/Log+in+to+YouTrack doesn't explicitly mentioned what Cookies needs to be sent thru to the server for subsequent requests, and it doesn't appear that any other page on the wiki mentions it either, other than showing both JSESSIONID and jetbrains.charisma.main.security.PRINCIPAL cookies on each request.

I was blindly storing ALL cookies returned from my POST to /rest/user/login and reusing it, it would seem that under 4.2.1 the JSESSIONID is expiring, whereas previously I assume it wasn't.

Changing my code to only store/submit the jetbrains.charisma.main.security.PRINCIPAL cookie seems to have solved the problem.
0

Please sign in to leave a comment.