AXL Authentication Cookies

Gordon Ross · ‎01-31-2017

The docs say that you can use the JSESSIONID cookie to re-use an authentication session. Yet in testing on CUCM 11.5, I find that this doesn't work. Instead, you have to use the new(er) JSESSIONIDSSO cookie.

If you send just the SSO cookie, things work. Send only a (valid) JSESSIONID cookie, and you get a wonderful 401 error.

Have the docs not been updated, or is this a bug?

GTG

Please rate all helpful posts.

dstaudt · ‎01-31-2017

Thanks for catching this, we'll take and look at get this updated...

James Adam · ‎01-25-2018

How are you able to validate that this is working? I have tried sending the JSESSIONID and/or the JSESSIONIDSSO cookie with a subsequent request and each time I get back a new set of cookies with my response. If I drop the auth header and send a request with cookies from a previous valid request I get a 401 error. (using CUCM 11.5)

dstaudt · ‎01-25-2018

Note, the JSESSIONIDSSO cookie will expire after about 30 minutes.

What you describe should work:

- Make a standard request with 'Authorization' header

- Extract the 'Set-Cookie' response header for JSESSIONIDSSO

- On subsequent requests, do not include Authorization, but do include a 'Cookie' header containing the content the full JSESSIONIDSSO:

Cookie: JSESSIONIDSSO=2723FD93559E7FA7E17F0E7958D13; Path=/; Secure; HttpOnly

James Adam · ‎01-26-2018

Hey thanks for the quick response. I realized that I was sending a Set-Cookie header with my subsequent requests instead of a Cookie header. Fixed that and it works as expected now.

+1 dstaudt