REST API: httpAuth "RememberMe" cookie
Hello,
Recently, most probaly in TeamCity update 9.1, there was a change that introduced a serious problem for my interactive script based on REST API.
That is: TeamCity server no longer returns correct "RememberMe" cookie after subsequent http requests.
How it worked prior to 9.1:
The first request for authentication, which contains login and password passed via basic authentication ( curl -u login:password ) does return TCSESSIONID cookie, but no RememberMe cookie.
However, if I send more requests with newly acquired TCSESSIONID, all further requests will also contain RememberMe cookie.
If I renew cookie file ( curl -b ./cookie -c ./cookie ), it allowed me to use a signle authentication for a very long time ( 2 weeks actually, and it got prolonged with each renew ), which is very convenient for an interactive script that is used every day.
How it works now:
All request, regardless of whether they contain login and password passed via basic authentication or existing TCSESSIONID cookie will either not return RememberMe at all, or return an empty one.
I wonder if it is possible to make TeamCity return RememberMe in curl requests as iit did before.
Also, I may actually be wrong regarding the statement taht 9.1 update changed this - possibly, it was not even an update, but some server settigns' changes. However, I do not know a way to verify it.
Lastly, I may add that RememberMe is correctly returned in normal authentication requests via GUI.
If I emulate such request via curl ( curl 'http://TeamCity-address/loginSubmit.html' --data-binary 'username=login&remember=true&_remember=&submitLogin=Log+in&publicKey=<...>&encryptedPassword=<...> ), I also get RememberMe cookie correctly, but I have no way of getting publicKey for encription in command line script, or at least I do not know a way to do it.
Please sign in to leave a comment.
A note: it is highly unrecommended to set "teamcity.http.auth.remember.me" internal property as it has side effects of blowing up the related storage. The same is with "teamcity.session.basic_auth.timeout" which can greatly increase the server memory consumption.
Hi Artem,
(server restart is not needed). By default it is .There is internal property in TeamCity that enables "Remember me" cookie for HTTP authentication
Also it is possible to set timeout for TCSESSIONID using internal property teamcity.session.basic_auth.timeout=<time out in seconds>. For more details see the comment.
Hi Alina,
Thank you very much.
Property "
Somehow, I do not have "Helpful answer" button in this thread, so I cannot mark your answer.
Apologies for resurrecting a dead thread, but I was wondering if it was possible to find out the expiry time for sessions that are active on the TeamCity server?
/app/rest/debug/sessions has provided some insightful information, but doesn't quite mention anywhere when a session is meant expire.
I am trying to write a wrapper for the RESTful API, and have discovered that the TCSESSIONID that is returned in the header of the response expires after some indeterminate amount of time.
I am making these requests after authenticating with NTLM through /ntlmLogin.html. Is it possible to configure the session time out or renewal period for a NTLM based session? Something similar to basic_auth.timeout?
Hello Luc,
I would not recommend relying on session expiration time. The most robust approach is to use the session cookie while it works and request a new one when you get unauthenticated error from the server.
You can also vote for / watch related feature request in our tracker which seems to better address your needs.
Fair enough, I will take that approach. Would it make sense to have the server send a response back with a cookie specifying when the session is going to expire? At least then developers can write code for refreshing their authentication session ID at that point in the future.