Hi @ibacher,
To invalidate session from server side you added below commit with webservices version 2.36.0, RESTWS-887: Session endpoint should expire the cookie on delete (#543) · openmrs/openmrs-module-webservices.rest@cc6c1ab · GitHub
We wanted to address you the issue which we are facing because this commit is not able to remove cookies from client side.
Below is the list of steps to reproduce the issue which we faced,
Below is login curl request
curl -v -k --request GET 'https://localhost/openmrs/ws/rest/v1/session' \
--header 'Authorization: Basic c3VwZXJtYW46QWRtaW4xMjM='
which will return jsessionId for eg. B0A59487946C81A63CCCA4EDEB128D0F
after that when we are making delete call with same jsession_id
curl -v -k --request DELETE 'https://localhost/openmrs/ws/rest/v1/session' \
--header 'Cookie: JSESSIONID=B0A59487946C81A63CCCA4EDEB128D0F'
will invalidate session from server side, and server will set the same jsession_id B0A59487946C81A63CCCA4EDEB128D0F as cookie, which is already expired
post delete call to ensure that prev session was destroyed, when we are making another login request (which will send the prev jsession_id thats is expired on server side)
curl -v -k --request GET 'https://localhost/openmrs/ws/rest/v1/session' \
--header 'Authorization: Basic c3VwZXJtYW46QWRtaW4xMjM=' \
--header 'Cookie: JSESSIONID=B0A59487946C81A63CCCA4EDEB128D0F'
it returns 401 UNAUTHORIZED, because we passed expired jsession_id and it is returning new jsession_id which was created as part of delete call
and as jsession_id is a HttpOnly cookie, browser will take care of setting it, we cannot set it from JS
now when we make get request with valid jsession_id
curl -v -k --request GET 'https://localhost/openmrs/ws/rest/v1/session' \
--header 'Cookie: JSESSIONID=0B8222111FB8B81D12A096046648B4D8'
it will return the required result
But as we are making curls we are modifying requests as per valid jsession_id, but as jsession_id is a HttpOnly cookie, browser will take care of setting it, we cannot set it from JS
so we made below changes,
in SessionController1_9.java, when we are invalidating the session, we are setting jsession_id with new_session_id and attaching to response
public void delete(HttpServletRequest request, HttpServletResponse response) {
Context.logout();
request.getSession().invalidate();
Cookie[] cookies = request.getCookies();
StringBuilder customHeader = new StringBuilder("");
if (cookies != null) {
for (Cookie cookie : cookies) {
if(cookie.getName().equals("JSESSIONID") || cookie.getName().equals("reporting_session")) {
customHeader.append(cookie.getName()).append("=").append(request.getSession().getId()).append(";");
response.setHeader("Set-Cookie", customHeader + "Path=/; Secure; HttpOnly;");
}
}
}
}
And on client end(bahmniapps), after we call delete method(to make server session invalidate) then we are calling a dummy get call, which will make the request with valid jsession_id
@ibacher, what is your opinion on this issue? will you suggest any change to make?