Content Server - Using RestAPI with LLCookie value as OTCSTicket

Hi,

I am trying to call Rest API from within a Content Server page (custom HTML page). This piece of code should run from logged in user's session. I am looking to re-utilize the Ticket which has already been generated at the time of login because the environment is SSO enabled and username/password is not an option here. After some HTTP fiddler inspection, LLCookie is the value I can find from the cookies and am able to use in place of OTCS Ticket which is same as OTCSTicket. (Its working fine)

Just want to confirm, if this is something I can rely on and deploy this solution or is any there any better option.

CS 16.2 - IIS (anonymouse)
OTDS 16.2 (http.negotiate)

Regards,

Find more posts tagged with

Comments

Ferdinand Prantl

The current implementation of CS REST API uses a decoded LLCookie in the request header "OTCSTicket" to authenticate the request. This may change and you should not rely on it, but it will work in all CS versions until 16.2.8, at least. However, parsing the cookie on the client side will not work, if the customer applies the recommended security setting to make the cookies HTTP-Only.

CS REST API does not accept cookies for authentication to mitigate the CSRF vulnerability. You have to set a custom request header explicitly to authenticate your requests. You can use either OTCSTicket (returned by POST /api/v1/auth or by OTDS REST API) or OTDSTicket (returned by OTDS REST API).

We recommend custom HTML pages to be generated on the server side. By WebLingo, JSP, ASP.NET or other framework. It allows you to write the ticket to a script template, which you make the AJAX calls from. For example, if you deploy an OScript module to CS, you can expose a request handler generating your HTML page. You would get the ticket by calling CSUI::Utils.GetOTCSTicket() and write it to a <script> on your page. You will not need to parse the cookie on the client side then.

Smart View will support SSO for custom static pages in the 16.2.8 update the next March. If you use it, you'll be able to use SSO for CS REST API on static HTML pages too.

Khurram Shahzad

Hi Fardinand,

Thank you for the reply.

Can I call CSUI::Utils.GetOTCSTicket() from webReport Server side script block? Or any other option with WebReport instead of plain HTML Page.

Regards,

dluo

In CS16, you an use the tag [LL_REPTAG_OTCSTICKET /] in Webreport to get the ticket based on this post:

https://knowledge.opentext.com/knowledge/cs.dll?func=ll&objId=69690386&objAction=viewincontainer&ShowReplyEntry=75640766#forum_topic_75640766