[9.24] Login via calling xas/ return 401 (Unauthorized)

We have our own login page which is not written via Mendix, it’s an independent application on another server. After an upgrade from 9.22 to 9.24, our login action on this login page with username and password (only with this two parameters in POST body) will call the Mendix application’s xas/ API, then this API return 401, and it’ll redirect to login.html which block this login action. But the Mendix server log shown the login is successful each time even if the xas/ return 401. Please see the screenshot:   Bad 401 code cookie: XASID=0.b6db9202-7b5e-4de6-bec4-ec79f605d334; originURI=/login.html; __Host-SessionTimeZoneOffset=-480; __Host-XASSESSIONID=95950325-b17b-4840-9890-e1a9b152d07b; xasid=0.b6db9202-7b5e-4de6-bec4-ec79f605d334; __Host-DeviceType=Desktop; __Host-Profile=Responsive; XASSESSIONID=2bc0ca0b-fdee-44ab-b1db-f32ff2abc7d8   Good 200 code cookie (after clear browser’s cookie): XASSESSIONID=6001dd17-098f-4f3e-8db9-29d829d31872; XASID=0.b6db9202-7b5e-4de6-bec4-ec79f605d334; originURI=/login.html   It can be jump to index.html only if I clear the browser’s cookies. I don’t need to clear cookies each time login before 9.24. Runtime config: SessionTimeOut set to 1h. Multiple sessions per user set to YES. EnableKeepAlive is default to ture.   Does this mean the XASSESSIONID or what identification inside cookie will be expired once a successful login. Then all the upcoming login with this old cookie via xas/ would be unsuccessful. Is there any changes on xas/ API or user session logic changes on 9.24?    Alan Thanks
2 answers



I hope you can solve it very quickly. As my team, we decided not to convert our project 9.24 immeaditely. We follow the error situation between old versions and 9.24. It keeps us save for a while.


When we come to your problem, as you state there is a redirection to mendix build-in login page then you redirect your customized one. Probably it cause the changes XASSESSIONID in that time.

My suggestion you should solve the redirection problem inside your ASU_Startup (after login microlfow) or inject javascript query in mendix login page for redirection.


I hope that works for you.   By the way, did you get any reply from mendix support?


We found the root cause and resolved:

Hint from: https://docs.mendix.com/partners/sap/sap-xsuaa-connector/#v920

API docs reference: 


The last two boolean parameters is added for security enhancement:

isHttpOnly - set the HttpOnly attribute of the cookie

isHostOnly - prefix key with __Host-

response.addCookie(SESSION_ID_COOKIE_NAME, session.getId().toString(), "/", "", -1, true, true);