REST API: httpAuth "RememberMe" cookie

Hello,

Recently, most probaly in TeamCity update  9.1, there was a change that introduced a serious problem for my  interactive script based on REST API.
That is: TeamCity server no longer returns correct "RememberMe" cookie after subsequent http requests.

How it worked prior to 9.1:

The  first request for authentication, which contains login and password  passed via basic authentication ( curl -u login:password ) does return  TCSESSIONID cookie, but no RememberMe cookie.
However, if I send more requests with newly acquired TCSESSIONID, all further requests will also contain RememberMe cookie.
If  I renew cookie file ( curl -b ./cookie -c ./cookie ), it allowed me to  use a signle authentication for a very long time ( 2 weeks actually, and  it got prolonged with each renew ), which is very convenient for an  interactive script that is used every day.

How it works now:

All  request, regardless of whether they contain  login and password passed  via basic authentication or existing TCSESSIONID cookie will either not  return RememberMe at all, or return an empty one.

I wonder if it is possible to make TeamCity return RememberMe in curl requests as iit did before.
Also,  I may actually be wrong regarding the statement taht 9.1 update changed  this - possibly, it was not even an update, but some server settigns'  changes. However, I do not know a way to verify it.

Lastly, I may add that RememberMe is correctly returned in normal authentication requests via GUI.
If  I emulate such request via curl ( curl  'http://TeamCity-address/loginSubmit.html' --data-binary  'username=login&remember=true&_remember=&submitLogin=Log+in&publicKey=<...>&encryptedPassword=<...> ), I also get RememberMe cookie correctly, but I have no way of getting publicKey for encription in command line script, or at least I do not know a way to do it.

6 comments
Comment actions Permalink
Official comment

A note: it is highly unrecommended to set "teamcity.http.auth.remember.me" internal property as it has side effects of blowing up the related storage. The same is with "teamcity.session.basic_auth.timeout" which can greatly increase the server memory consumption.

Comment actions Permalink

Hi Artem,

There is internal property in TeamCity that enables "Remember me" cookie for HTTP authentication

teamcity.http.auth.remember.me=true
(server restart is not needed). By default it is
false
.
Also it is possible to set timeout for TCSESSIONID using internal property teamcity.session.basic_auth.timeout=<time out in seconds>. For more details see the comment.
0
Comment actions Permalink

Hi Alina,

Thank you very much.
Property "

teamcity.http.auth.remember.me=true" did the trick.


Somehow, I do not have "Helpful answer" button in this thread, so I cannot mark your answer.
0
Comment actions Permalink

Apologies for resurrecting a dead thread, but I was wondering if it was possible to find out the expiry time for sessions that are active on the TeamCity server?

/app/rest/debug/sessions has provided some insightful information, but doesn't quite mention anywhere when a session is meant expire.

I am trying to write a wrapper for the RESTful API, and have discovered that the TCSESSIONID that is returned in the header of the response expires after some indeterminate amount of time.

I am making these requests after authenticating with NTLM through /ntlmLogin.html. Is it possible to configure the session time out or renewal period for a NTLM based session? Something similar to basic_auth.timeout?

0
Comment actions Permalink

Hello Luc,

I would not recommend relying on session expiration time. The most robust approach is to use the session cookie while it works and request a new one when you get unauthenticated error from the server.

You can also vote for / watch related feature request in our tracker which seems to better address your needs.

0
Comment actions Permalink

Fair enough, I will take that approach. Would it make sense to have the server send a response back with a cookie specifying when the session is going to expire? At least then developers can write code for refreshing their authentication session ID at that point in the future.

0

Please sign in to leave a comment.