REST API: httpAuth "RememberMe" cookie


Recently, most probaly in TeamCity update  9.1, there was a change that introduced a serious problem for my  interactive script based on REST API.
That is: TeamCity server no longer returns correct "RememberMe" cookie after subsequent http requests.

How it worked prior to 9.1:

The  first request for authentication, which contains login and password  passed via basic authentication ( curl -u login:password ) does return  TCSESSIONID cookie, but no RememberMe cookie.
However, if I send more requests with newly acquired TCSESSIONID, all further requests will also contain RememberMe cookie.
If  I renew cookie file ( curl -b ./cookie -c ./cookie ), it allowed me to  use a signle authentication for a very long time ( 2 weeks actually, and  it got prolonged with each renew ), which is very convenient for an  interactive script that is used every day.

How it works now:

All  request, regardless of whether they contain  login and password passed  via basic authentication or existing TCSESSIONID cookie will either not  return RememberMe at all, or return an empty one.

I wonder if it is possible to make TeamCity return RememberMe in curl requests as iit did before.
Also,  I may actually be wrong regarding the statement taht 9.1 update changed  this - possibly, it was not even an update, but some server settigns'  changes. However, I do not know a way to verify it.

Lastly, I may add that RememberMe is correctly returned in normal authentication requests via GUI.
If  I emulate such request via curl ( curl  'http://TeamCity-address/loginSubmit.html' --data-binary  'username=login&remember=true&_remember=&submitLogin=Log+in&publicKey=<...>&encryptedPassword=<...> ), I also get RememberMe cookie correctly, but I have no way of getting publicKey for encription in command line script, or at least I do not know a way to do it.

Comment actions Permalink
Official comment

A note: it is highly unrecommended to set "" internal property as it has side effects of blowing up the related storage. The same is with "teamcity.session.basic_auth.timeout" which can greatly increase the server memory consumption.

Comment actions Permalink

Hi Artem,

There is internal property in TeamCity that enables "Remember me" cookie for HTTP authentication
(server restart is not needed). By default it is
Also it is possible to set timeout for TCSESSIONID using internal property teamcity.session.basic_auth.timeout=<time out in seconds>. For more details see the comment.
Comment actions Permalink

Hi Alina,

Thank you very much.
Property "" did the trick.

Somehow, I do not have "Helpful answer" button in this thread, so I cannot mark your answer.
Comment actions Permalink

Apologies for resurrecting a dead thread, but I was wondering if it was possible to find out the expiry time for sessions that are active on the TeamCity server?

/app/rest/debug/sessions has provided some insightful information, but doesn't quite mention anywhere when a session is meant expire.

I am trying to write a wrapper for the RESTful API, and have discovered that the TCSESSIONID that is returned in the header of the response expires after some indeterminate amount of time.

I am making these requests after authenticating with NTLM through /ntlmLogin.html. Is it possible to configure the session time out or renewal period for a NTLM based session? Something similar to basic_auth.timeout?

Comment actions Permalink

Hello Luc,

I would not recommend relying on session expiration time. The most robust approach is to use the session cookie while it works and request a new one when you get unauthenticated error from the server.

You can also vote for / watch related feature request in our tracker which seems to better address your needs.

Comment actions Permalink

Fair enough, I will take that approach. Would it make sense to have the server send a response back with a cookie specifying when the session is going to expire? At least then developers can write code for refreshing their authentication session ID at that point in the future.


Please sign in to leave a comment.