RetrieveCookie Endpoint always returning 200

« Go Back


Article Number000093717
EnvironmentProduct: Sitefinity
Version: 10.x, 11/x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description
How does the retrieveAuthCookie endpoint work? Why is it returning 200 status all the time? What are its differences when one does supply the JWT token?
Question is related to Progress Article:
000082866, Authenticate a user programatically in Sitefinity 10+ to view a protected resource

Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number

1. The service will always return 200. What one would be looking at is the "Set-Cookie" header of the response. 

2. If the call is successful, the server will return a response containing "Set-Cookie" with the appropriate value, which then can be used and set into the API calls:
if (setCookies)
var cookiesToSet = response.Headers.GetValues("Set-Cookie");
this.Cookies.SetCookies(this.BaseAddress, string.Join(", ", cookiesToSet));

3. What happens when we don't supply the JWT token at all? 

- One can test that by commenting out 
this.DefaultRequestHeaders.Add(SitefinityClient.AuthorizationHeader, "Bearer " + tokenResponse.AccessToken); on line 77 of AuthenticateSitefinity.cs *

The request will still go through, with 200 and Set-Cookie value will still be set.

However, on the server, the Identity will return Anonymous, and the requests will return "User Not Found", i,e the requests will not pass. The OOTB o-data services will return 401.

4. Since Sitefinity is checking if a user is already logged in before issuing a cookie, one should always perform one of the two things:

4.1 Either use ?forceLogin=true parameter, which will overcome the current user (line 147 on SitefintiyClient.cs) and get a new JWT token.

4.2 Always Logout the client after done performing some operation (line 31 on AuthenticateSitefintiy.cs)

If the user is still logged in, upon trying to get the cookie, the user will get the dialog which is "Are you sure you want to log the user out" and the cookie will be set as if the user is not logged in. (This can be changed in Security Settings -> 'Disable the limit of active simultaneous backend users' set to true, but  it is not recommended using it at all)

*The files can be found in the attachment related to 000082866.
Last Modified Date1/9/2019 1:02 PM

Did this article resolve your question/issue?


Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025