This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Martijn_Haverho
Explorer
‎2018-02-13 07:09 AM

How to properly logoff web api session without leaving session open

Jump to solution

How do I properly logoff from a web api session without leaving my sessions disconnected.

When providing my session id (X-chkp-sid) with the logoff method, my session is listed as disconnected in SmartConsole. And when reaching the max of xxx disconnected sessions I can no longer login.

Please advise.

1 Solution

Accepted Solutions
Robert_Decker
Employee Alumnus
Employee Alumnus
‎2018-02-14 01:27 AM
In response to Gary_Lipets

Jump to solution

Your command looks just fine and should work. You should recieve a "OK" message as a response.

Please note that logout command doesn't remove the session, it remains in disconnected state, so you can login again later and continue working on it.

If you wish to terminate the session when logging out, you should either discard or publish the changes of this session - 

login -> work -> publish/discard -> logout.

Meanwhile, if you wish to cleanup these disconnected sessions, please use this bash script on your management server - 

#!/bin/bash
mgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txt

Robert.

View solution in original post

9 Replies
Robert_Decker
Employee Alumnus
Employee Alumnus
‎2018-02-13 07:18 AM

Jump to solution

Hi,

Can you please provide the version of your management server and the API activation method (cli/web service)?

In addition - full input and output of your logout command.

Robert.

0 Kudos
Gary_Lipets
Participant
‎2018-02-13 08:32 PM

Jump to solution 
POST {{server}}/logout Content-Type: application/json X-chkp-sid: {{session}}  { }
0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus
‎2018-02-14 01:27 AM
In response to Gary_Lipets

Jump to solution

Your command looks just fine and should work. You should recieve a "OK" message as a response.

Please note that logout command doesn't remove the session, it remains in disconnected state, so you can login again later and continue working on it.

If you wish to terminate the session when logging out, you should either discard or publish the changes of this session - 

login -> work -> publish/discard -> logout.

Meanwhile, if you wish to cleanup these disconnected sessions, please use this bash script on your management server - 

#!/bin/bash
mgmt_cli login -r true > id.txt; current_sid=$(mgmt_cli show session -s id.txt -f json | $CPDIR/jq/jq .uid); for sid in $(mgmt_cli -s id.txt show sessions details-level full -f json | $CPDIR/jq/jq '.objects[] | select ( .["application"] | contains ("WEB_API")) | .uid' | grep -v ${current_sid}); do mgmt_cli discard uid ${sid} -s id.txt ; done; mgmt_cli logout -s id.txt

Robert.

Martijn_Haverho
Explorer
‎2018-02-14 01:31 AM
In response to Robert_Decker

Jump to solution

Hi Robert,

That clarifies a lot. I indeed receive an "OK" response after logout. I will use your procedure.

Thanks a lot.

Martijn

0 Kudos
phlrnnr
Advisor
‎2018-05-07 11:03 AM

Jump to solution

I am having this same issue when I do the following:

  • login via REST API
  • run command 'add-access-rule'
  • publish session (result: {""task-id" : "<long string>"} - and I can see the rule show up in SmartConsole)
  • logout - result:  {"message": "OK"}

The Session shows up in SmartConsole in 'Disconnected' state.

If I add an extra step between publish and logout which calls 'discard' after the publish, I get this:

{
"number-of-discarded-changes" : 2,
"message" : "OK"
}

If I don't do the discard, the session shows 'Disconnected', but with no locks / no changes:

This is R80.10 / Jumbo Take 85.

Thoughts?

Robert_Decker
Employee Alumnus
Employee Alumnus
‎2018-05-07 01:06 PM
In response to phlrnnr

Jump to solution

It seems that you are using Web-Services method and not mgmt_cli tool.

if discard command after a publish command shows that there are 2 changes, this means that your publish command did NOT complete.

the result of publish command is a task-id.

you should call show-task command with this task-id to verify that the task is completed -

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/publish~v1.1%20

Robert.

0 Kudos
phlrnnr
Advisor
‎2018-05-08 05:55 AM
In response to Robert_Decker

Jump to solution

So, the thought is that when I logged off, the publish task had not yet completed, so the session became disconnected?

Therefore, I need to modify my code to make sure that the task-id has completed before I call the logout function to avoid a disconnected session?

0 Kudos
Robert_Decker
Employee Alumnus
Employee Alumnus
‎2018-05-08 06:49 AM
In response to phlrnnr

Jump to solution

As I said, if you use the mgmt_cli tool, all commands are executed in synchronous manner, and when the command returns, it is completed.

On the other hand, if you use REST API Web Services, an asynchronous command as publish command, returns task-id. Your code should check that the command is completed by calling show-task command indicating command completion.

Only then you can move to the next command execution.

Take a look at this post - 

https://community.checkpoint.com/thread/1268

Robert.

0 Kudos
George_Liu
Contributor
‎2018-10-04 04:11 AM

Jump to solution

Hi s.m.h316f1af6-4c36-4313-ae04-949aa3d79ade

I guess you coding something with WEB API, rectnly I have then same error as you and solved.

The most important is "EVERYTHING IS JSON ON WEB API POST BODY", I descript detail in below for you reference.

When I execute the script from my computer, got the following error message.

Verify the response message from ZAP, I saw the key point "Payload is empty".

I check my logout request, it's true, no body was sent.

So I add a empty json data in body when call logout function from web api, as below, a subroutine called json_body with empty parameter.

(It's written in PERL.)

As below, an empty json body in post logout function and I got a http return code 200 OK.