HttpOnly Session Cookies for OpenMRS API Authentication in Frontend Development

parker · July 12, 2024, 11:22am

Application Name: Bahmni Version Number: 1.0.0-lite.

Question: Hi,

I have developed a front end for testing OpenMRS APIs. I’m encountering an issue while creating a session with the OpenMRS API. When I send a POST request for authentication (/openmrs/ws/rest/v1/session) using Basic Auth, I receive a response indicating that authentication was successful ("authenticated": true). However, I am unable to retrieve the session ID cookie (JSESSIONID) to maintain the session for subsequent API calls from my frontend. The cookie is marked as HttpOnly, which prevents it from being accessed via JavaScript on the frontend.

Could you please provide guidance on how to handle this HttpOnly cookie for creating session?

Thank you!

.**

angshuonline · July 15, 2024, 5:03am

It is marked httpOnly for purposes like this. Its one of the practices for XSS attack.
If you intention is to only test and in secure environment, here are some options

Get from response headers - not within the browser execution context, but from a client written in any language including node env.
Change the “session-config” in /usr/local/tomcat/webapps/openmrs/WEB-INF/web.xml (requires a restart of the tomcat process - or the container itself)