Reply
Highlighted
Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

using API to authenticate login kills UCRM session

Quick question, we have been noticing that when we use the API to authenticate a session (mobile/login)  and then we login to our actual UCRM System the session from the mobile/login is killed and we have to log in again. 

 

Our envio is set up in the following format:

 

One server running UCRM on standard port using SSL

In the same server we have a seperate software that connects to UCRM using the API. its accessible via a a non public port and it requires the user to login using their UCRM login credentials, we authenticate those via the mobile/login api. 

 

Whenever the user (admin/staff) logs in and then logs into the ucrm instance, they are kicked out of our other software.

 

Any ideas on how we can address this? or what's causing this to happen? 

 

 

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

Hello @sergiov87, do you have expiration parameter on the mobile login set up correctly? Take a look in API documentation here https://ucrmbeta.docs.apiary.io/#reference/mobile/mobilelogin/post

 

If you don't set up the expiration parameter at all on the endpoint, it will basically expire instantly.

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

@UBNT-Ondra i have the expiration value set to 604800. 

 

It just seems that any php session i have active on the same server on any applicaiton running in a different port gets killed as soon as i log in to UCRM or log out. 

 

It works fine if i log in thorugh another browser, but if i'm on the same browswer any existing session i have is destroyed when i log in to UCRM.

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

@sergiov87  What UCRM version are you running?

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

[ Edited ]

@UBNT-Ondra Currently we are running 2.13.5 

 

We plan on updating it Monday to the newest version of 2.13.6

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

@sergiov87 Just to clarify, you are using the API login endpoint in your own code somewhere (not via the UCRM mobile app)?

If so, does it run on the same domain (or IP) with only port being different?

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

Yes, that's correct, we have our own web application that we built and connects to UCRM via the API,  that runs on the same server/domain just on a different port. 

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

@sergiov87 Thank you, I think I now know where the problem is. I'll let you know if we need to know more information, but it should be fixed in next release (probably next week).

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

@UBNT-Ondra sounds great, do let me know if  you guys need any other info, thanks!

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

@sergiov87  So, I was not able to reproduce the issue with the idea I had. It's possible the fix I had in mind for next release will still help you, but now I can't be sure.

Would it be possible to send me (in PM) the actual code, that's causing problems to you? I might be able to find the problem then.

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

@UBNT-Ondra Not a problem i'll send you a PM with the information you are requesting. 

 

Thanks!

Ubiquiti Employee
Posts: 1,098
Registered: ‎03-21-2016
Kudos: 177
Solutions: 126

Re: using API to authenticate login kills UCRM session

Hello @sergiov87,

 

Thank you for the code. I was able to reproduce your issue now and it actually has nothing to do with the login endpoint. The problem is actually in 2 applications running on the same domain.

Since the cookies are based on domain name / IP address and not a port, you have the sessions shared between both UCRM and your application. And since UCRM destroys current session on login/logout, it gets destroyed in your application as well, because you're using default session name just like UCRM does (PHPSESSID).

 

I've got 2 possible solutions for you:

  1. You can rename session idenfier in your application using PHP's session_name (http://se.php.net/manual/en/function.session-name.php). This will prevent UCRM from destroying your session data.
  2. You can actually use the same session and use UCRMs "/current-user" endpoint out of the box, which would remove the need to call the mobile login. If your user logged in into UCRM, he would be automatically logged in in your application and if he would log out in UCRM, he would be automatically logged out as well.
    This endpoint is available since UCRM 2.14.0-beta1 and you can read more about it here https://github.com/Ubiquiti-App/UCRM-plugins/blob/master/docs/security.md

Personally I would go with the second option as it's cleaner, but if you need just quick'n'dirty solution, the first one will work just fine.

Emerging Member
Posts: 94
Registered: ‎03-05-2018
Kudos: 36

Re: using API to authenticate login kills UCRM session

@UBNT-Ondra Thanks for the suggestions, i too preffer option 2 and we'll probably implement that in place. If anything comes up i'll follow up.

 

Thanks again!

Reply