Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn_Haverho
Explorer
Jump to solution

How to properly logoff web api session without leaving session open

How do I properly logoff from a web api session without leaving my sessions disconnected.

When providing my session id (X-chkp-sid) with the logoff method, my session is listed as disconnected in SmartConsole. And when reaching the max of xxx disconnected sessions I can no longer login.

Please advise.

1 Solution

Accepted Solutions
Robert_Decker
Advisor

Your command looks just fine and should work. You should recieve a "OK" message as a response.

Please note that logout command doesn't remove the session, it remains in disconnected state, so you can login again later and continue working on it.

If you wish to terminate the session when logging out, you should either discard or publish the changes of this session - 

login -> work -> publish/discard -> logout.

Meanwhile, if you wish to cleanup these disconnected sessions, please use this bash script on your management server - 

#!/bin/bash
mgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txt

Robert.

View solution in original post

9 Replies
Robert_Decker
Advisor

Hi,

Can you please provide the version of your management server and the API activation method (cli/web service)?

In addition - full input and output of your logout command.

Robert.

0 Kudos
Gary_Lipets
Participant
POST {{server}}/logout Content-Type: application/json X-chkp-sid: {{session}}  { }
0 Kudos
Robert_Decker
Advisor

Your command looks just fine and should work. You should recieve a "OK" message as a response.

Please note that logout command doesn't remove the session, it remains in disconnected state, so you can login again later and continue working on it.

If you wish to terminate the session when logging out, you should either discard or publish the changes of this session - 

login -> work -> publish/discard -> logout.

Meanwhile, if you wish to cleanup these disconnected sessions, please use this bash script on your management server - 

#!/bin/bash
mgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txt

Robert.

Martijn_Haverho
Explorer

Hi Robert,

That clarifies a lot. I indeed receive an "OK" response after logout. I will use your procedure.

Thanks a lot.

Martijn

0 Kudos
phlrnnr
Advisor

I am having this same issue when I do the following:

  • login via REST API
  • run command 'add-access-rule'
  • publish session (result: {""task-id" : "<long string>"} - and I can see the rule show up in SmartConsole)
  • logout - result:  {"message": "OK"}

The Session shows up in SmartConsole in 'Disconnected' state.

If I add an extra step between publish and logout which calls 'discard' after the publish, I get this:

{
"number-of-discarded-changes" : 2,
"message" : "OK"
}

If I don't do the discard, the session shows 'Disconnected', but with no locks / no changes:

This is R80.10 / Jumbo Take 85.

Thoughts?

Robert_Decker
Advisor

It seems that you are using Web-Services method and not mgmt_cli tool.

if discard command after a publish command shows that there are 2 changes, this means that your publish command did NOT complete.

the result of publish command is a task-id.

you should call show-task command with this task-id to verify that the task is completed -

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/publish~v1.1%20

Robert.

0 Kudos
phlrnnr
Advisor

So, the thought is that when I logged off, the publish task had not yet completed, so the session became disconnected?

Therefore, I need to modify my code to make sure that the task-id has completed before I call the logout function to avoid a disconnected session?

0 Kudos
Robert_Decker
Advisor

As I said, if you use the mgmt_cli tool, all commands are executed in synchronous manner, and when the command returns, it is completed.

On the other hand, if you use REST API Web Services, an asynchronous command as publish command, returns task-id. Your code should check that the command is completed by calling show-task command indicating command completion.

Only then you can move to the next command execution.

Take a look at this post - 

https://community.checkpoint.com/thread/1268

Robert.

0 Kudos
George_Liu
Contributor

Hi s.m.h316f1af6-4c36-4313-ae04-949aa3d79ade

I guess you coding something with WEB API, rectnly I have then same error as you and solved.

The most important is "EVERYTHING IS JSON ON WEB API POST BODY", I descript detail in below for you reference.

When I execute the script from my computer, got the following error message.

Verify the response message from ZAP, I saw the key point "Payload is empty".

I check my logout request, it's true, no body was sent.

So I add a empty json data in body when call logout function from web api, as below, a subroutine called json_body with empty parameter.

(It's written in PERL.)

As below, an empty json body in post logout function and I got a http return code 200 OK.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events