Client cookies are not getting removed after server session invalidated

Alright so with the commits mentioned in this comment. The CookieClearingFilter now appears to be functioning as expected. This doesn’t resolve all the issues brought up in this thread because they are not all tied to that one piece of functionality, which is intended to clear cookies when the user’s session is ended during a request.

I can’t reproduce the behaviour asserted here. More exactly, whenever I send a request to the REST endpoint that is rejected with a 401 because the session is expired or otherwise invalid, I get a new JSESSIONID cookie with it. E.g.,

GET /openmrs/ws/rest/v1/session HTTP/1.1
Cookie: JSESSIONID=CDA7A323A99C4388E633888747F84BF5
Host: dev3.openmrs.org
Access-Control-Expose-Headers: Authorization
Connection: close
Content-Language: en
Content-Length: 708
Content-Type: text/html;charset=utf-8
Date: Thu, 26 Jan 2023 12:52:15 GMT
Server: nginx/1.18.0 (Ubuntu)
Set-Cookie: JSESSIONID=AB534D3AD011EBF2D72B11DCA2795CB7; Path=/openmrs; HttpOnly; Secure; SameSite=Strict

<!doctype html><html lang="en"><head><title>HTTP Status 401 – Unauthorized</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 401 – Unauthorized</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Session timed out</p><p><b>Description</b> The request has not been applied because it lacks valid authentication credentials for the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.85</h3></body></html>

This looks to me like the server correctly returning a new JSESSIONID (though note that at this point, the session is not, however, authenticated; sending a new request with authentication credentials, however, will result in a validly authenticated session).

There are probably a couple of infelicities in the current REST module that should be remedied:

  • Regardless of whether the requested session is valid, if appropriate authentication credentials are sent along with the request, a new session using those credentials should probably be returned with a 401 response.
  • Regardless of authentication status, a request to the session endpoint should probably always actually hit the session endpoint.
1 Like

I have raised a minor PR on webservices rest. Also left a comment on the card

1 Like