AnsweredAssumed Answered

API V2 Session Logout doubts

Question asked by rfryca on Jan 29, 2013
Latest reply on Jan 30, 2013 by rfryca

I have problem to succesfully make logout session request.
Use case is simple - first call of logon next call of logout.

But it does not work like that.


First Login request:

 

POST https://qualysapi.qualys.eu/api/2.0/fo/session/?username=xxx&password=yyy&action=login&echo_request=0 HTTP/1.1

Authorization: Basic xxx:yyy ==

X-Requested-With: Qualys Sharp API V2 use attempt

Content-Type: application/x-www-form-urlencoded

Host: qualysapi.qualys.eu

Content-Length: 0

Connection: Keep-Alive


Next Login response:

HTTP/1.1 200 OK

Date: Tue, 29 Jan 2013 12:36:49 GMT

Server: qweb/4.0k.el4

X-Frame-Options: SAMEORIGIN

Set-Cookie: QualysSession=22bf40b0f49be700be7b2a38b54f3297; path=/api; secure

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Keep-Alive: timeout=15, max=99

Connection: Keep-Alive

Transfer-Encoding: chunked

Content-Type: text/xml

 

 

105

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qualys.eu/api/2.0/simple_return.dtd">

<SIMPLE_RETURN>

  <RESPONSE>

    <DATETIME>2013-01-29T12:36:50Z</DATETIME>

    <TEXT>Logged in</TEXT>

  </RESPONSE>

</SIMPLE_RETURN>

 

 

0

 

 

 

ALL looks ok so far

 

Just after Logout request

POST https://qualysapi.qualys.eu/api/2.0/fo/session/?action=logout&echo_request=0 HTTP/1.1

Authorization: Basic xxx:yyy ==

X-Requested-With: Qualys Sharp API V2 use attempt

Content-Type: application/x-www-form-urlencoded

Set-Cookie: QualysSession=22bf40b0f49be700be7b2a38b54f3297; path=/api; secure;

Host: qualysapi.qualys.eu

Content-Length: 0

 

And surprised response

HTTP/1.1 403 Forbidden

Date: Tue, 29 Jan 2013 12:36:51 GMT

Server: qweb/4.0k.el4

X-Frame-Options: SAMEORIGIN

Transfer-Encoding: chunked

Content-Type: text/xml

 

 

124

<?xml version="1.0" encoding="UTF-8" ?>

<!DOCTYPE SIMPLE_RETURN SYSTEM "https://qualysapi.qualys.eu/api/2.0/simple_return.dtd">

<SIMPLE_RETURN>

  <RESPONSE>

    <DATETIME>2013-01-29T12:36:51Z</DATETIME>

    <CODE>2010</CODE>

    <TEXT>Bad Login/Password</TEXT>

  </RESPONSE>

</SIMPLE_RETURN>

 

 

0

 

So I have read TFM for V1 API and found error code
2010 .................................User account is not authorized to perform this function

 

 

So my user is autorized to logon, but can not logoff ?

I am quite new user of Qualys API so maybe it is wrong concept of using it, or you know about some magic I need to make.
I would glad to know if I am doing somthing not correct.

 

What for are those login and logon session functions  ?( I know what has been written in manual)

I have did several API function calls in my library without first calling logon session call.

Including retrieving report and scan data as well as assets lists.

Is it necessery in real life (own libraries using API) to call those functions?

 

Thx in advance for sharing your knowledge with some newbie.

I have trying to search before but have not found similiar issue.


Outcomes