Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-7475

Some api calls result in "Destroying user session"


    • False
    • False
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • Not Started
    • undefined
      1. Create new access token with all permissions/scopes
      2. Go to 3scale API Docs page
      3. Send Backend create request with the token
      4. Reload admin portal page
      5. See it requires login

      Some api calls trough API Docs page cause session to log out. Doesn't happen while using the curl command.

      Known to cause this:

      • Backend create/delete/update
      • Field definitions update/delete

      In the logsĀ (attached below) for system-provider shows:

      ... Can't verify CSRF token authenticity.
      ... Destroying user session {id}

      Where id is filled AND actually logs out when used trough API Docs page. When using curl the id is missing and doesn't cause log out.

      Dev notes

      Every endpoint in the API Docs page which returns json and uses different HTTP methods than GET will trigger the destruction of the session.

      The easiest fix is to disable the CSRF protection for json requests. However, this is not optimal.
      We should fix the communication between the backend and frontend so it won't destroy the user session.

            Unassigned Unassigned
            rhn-support-azgabur Alexander Zgabur
            Alexander Zgabur Alexander Zgabur
            Jakub Smadis Jakub Smadis (Inactive)
            0 Vote for this issue
            2 Start watching this issue