session id is not returned from /session endpoint of demo server

elonshubham · April 9, 2023, 3:39pm

Is this a bug?

I took a look at the response of /session endpoint of the demo server and to my surprise it doesn’t return the parameter sessionid due to which I was not able to login into the android client because it requires the sessionid.

PFA the response:

{
    "authenticated": true,
    "user": {
        "uuid": "45ce6c2e-dd5a-11e6-9d9c-0242ac150002",
        "display": "admin",
        "username": "admin",
        "systemId": "admin",
        "userProperties": {
            "loginAttempts": "0",
            "lockoutTimestamp": "",
            "emrapi.lastViewedPatientIds": "507,508"
        },
        "person": {
            "uuid": "24252571-dd5a-11e6-9d9c-0242ac150002",
            "display": "Super User"
        },
        "privileges": [],
        "roles": [
            {
                "uuid": "8d94f852-c2cc-11de-8d13-0010c6dffd0f",
                "display": "System Developer",
                "name": "System Developer"
            },
            {
                "uuid": "8d94f280-c2cc-11de-8d13-0010c6dffd0f",
                "display": "Provider",
                "name": "Provider"
            }
        ],
        "links": [
            {
                "rel": "self",
                "uri": "http://demo.openmrs.org/openmrs/ws/rest/v1/user/45ce6c2e-dd5a-11e6-9d9c-0242ac150002",
                "resourceAlias": "user"
            },
            {
                "rel": "default",
                "uri": "http://demo.openmrs.org/openmrs/ws/rest/v1/user/45ce6c2e-dd5a-11e6-9d9c-0242ac150002?v=default",
                "resourceAlias": "user"
            }
        ]
    },
    "locale": "en_GB",
    "allowedLocales": [
        "en",
        "en_GB",
        "es",
        "fr",
        "it",
        "pt"
    ],
    "sessionLocation": null,
    "currentProvider": {
        "uuid": "f9badd80-ab76-11e2-9e96-0800200c9a66",
        "display": "UNKNOWN - Super User",
        "links": [
            {
                "rel": "self",
                "uri": "http://demo.openmrs.org/openmrs/ws/rest/v1/provider/f9badd80-ab76-11e2-9e96-0800200c9a66",
                "resourceAlias": "provider"
            }
        ]
    }
}

@dev3

mherman22 · April 10, 2023, 8:02am

The sessionid is included ihe header. You can check the cookies aswell and there should be something like JSESSIONID=30E9729A38F35379D16383ADCDDB498D; Path=/openmrs; HttpOnly;. → OpenMRS Docs. As for adding the sessionid inside the response object, it doesnt seem to be covered here.

elonshubham · April 11, 2023, 11:23am

Thanks for the response @mherman22

But the expected response object should contain sessionid as mentioned → here

This can lead it’s dependencies to crash

mherman22 · April 11, 2023, 11:37am

Exactly, not sure why it wasn’t implemented. Do you mind creating a ticket for it at Webservices REST Module - Issues - OpenMRS Issues?

/cc: @dkayiwa

dkayiwa · April 11, 2023, 12:28pm

It was intentionally removed because it introduces a security vulnerability.

elonshubham · April 11, 2023, 12:48pm

Thanks for clariying @dkayiwa that It was done intentionally.

Creating a ticket to rectify this in the OpenMRS REST API docs.