Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24925

Unneeded JSESSIONID cookies returned

    XMLWordPrintable

    Details

      Description

      NXRM has started to return JSESSIONID cookies. In the past these were not generated.

      curl 'http://localhost:8081/service/rapture/session'   -H 'Connection: keep-alive'   -H 'Pragma: no-cache'   -H 'Cache-Control: no-cache'   -H 'X-Requested-With: XMLHttpRequest'   -H 'X-Nexus-UI: true'   -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36'   -H 'NX-ANTI-CSRF-TOKEN: 0.20777158166126664'   -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'   -H 'Accept: */*'   -H 'Origin: http://localhost:8081'   -H 'Sec-Fetch-Site: same-origin'   -H 'Sec-Fetch-Mode: cors'   -H 'Sec-Fetch-Dest: empty'   -H 'Referer: http://localhost:8081/'   -H 'Accept-Language: en-US,en;q=0.9'   -H 'Cookie: NX-ANTI-CSRF-TOKEN=0.20777158166126664; _ga=GA1.1.918799830.1597419849; _gid=GA1.1.591002232.1597419849'   --data-raw 'username=YWRtaW4%3D&password=YWRtaW4xMjM%3D'   --compressed -v
      *   Trying ::1:8081...
      * TCP_NODELAY set
      * Connection failed
      * connect to ::1 port 8081 failed: Connection refused
      *   Trying 127.0.0.1:8081...
      * TCP_NODELAY set
      * Connected to localhost (127.0.0.1) port 8081 (#0)
      > POST /service/rapture/session HTTP/1.1
      > Host: localhost:8081
      > Accept-Encoding: deflate, gzip
      > Connection: keep-alive
      > Pragma: no-cache
      > Cache-Control: no-cache
      > X-Requested-With: XMLHttpRequest
      > X-Nexus-UI: true
      > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
      > NX-ANTI-CSRF-TOKEN: 0.20777158166126664
      > Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      > Accept: */*
      > Origin: http://localhost:8081
      > Sec-Fetch-Site: same-origin
      > Sec-Fetch-Mode: cors
      > Sec-Fetch-Dest: empty
      > Referer: http://localhost:8081/
      > Accept-Language: en-US,en;q=0.9
      > Cookie: NX-ANTI-CSRF-TOKEN=0.20777158166126664; _ga=GA1.1.918799830.1597419849; _gid=GA1.1.591002232.1597419849
      > Content-Length: 43
      > 
      * upload completely sent off: 43 out of 43 bytes
      * Mark bundle as not supporting multiuse
      < HTTP/1.1 204 No Content
      < Date: Fri, 14 Aug 2020 15:58:21 GMT
      < Server: Nexus/3.26.0-04 (PRO)
      < X-Content-Type-Options: nosniff
      < Set-Cookie: JSESSIONID=node0wa8z5s1cdgmc15v1nyqlq608j3.node0; Path=/
      < Expires: Thu, 01 Jan 1970 00:00:00 GMT
      < Set-Cookie: NXSESSIONID=dd249c7b-8b34-4bda-bf2b-538a9520a757; Path=/; HttpOnly; SameSite=lax
      < X-Frame-Options: DENY
      < 
      

      Expected

      Do not return JSESSIONID cookies. Sessions are tracked using NXSESSIONID cookies already.

        Attachments

          Activity

            People

            Assignee:
            dsawa Dawid Sawa
            Reporter:
            plynch Peter Lynch
            Last Updated By:
            Michael Prescott Michael Prescott
            Team:
            NXRM - Groot
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Date of First Response:

                tigCommentSecurity.panel-title