Deprecation of cookie based interaction with vSphere REST APIs (vAPIs)
search cancel

Deprecation of cookie based interaction with vSphere REST APIs (vAPIs)

book

Article ID: 320219

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
vSphere REST APIs were introduced with vSphere 6.0 and added new features with every major release.
To use vSphere APIs, authentication was done based on cookie. This method was found to have security issues that include cross-site request forgery (CSRF).

Environment

VMware vSphere ESXi 6.7
VMware vSphere ESXi 6.5
VMware vSphere ESXi 6.0
VMware vSphere ESXi 7.0.0

Cause

This article provides information on the deprecation of cookie based authentication using vSphere REST APIs and using HTTP header method to do the same. This is relevant to only to vSphere release 6.0, 6.5, 6.7.

Resolution

Note: Starting with vSphere 7.0, cookie based authentication using vSphere REST APIs (vAPIs) are being deprecated. Cookie based methods will continue to work in 7.0 but will be removed after 2 major releases (including 7.0) according to the standard deprecation policy.

To workaround this issue:

Use header based authentication with vSphere REST APIs using the following steps:

  1.  You should call session create API with vmware-use-header-authn header.
 
For example:

POST /rest/com/vmware/cis/session HTTP/1.1

vmware-use-header-authn: true

Authorization: Basic QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2FsOlBhc3N3b3Jk
 
  1. vCenter responds with json containing the session key in the body of the response and no cookie

200 OK
{

    "value": "b00db39f948d13ea1e59b4d6fce56389"
}

  1.  You can make further requests by adding the session id in “vmware-api-session-id” header.
For example:

GET /rest/com/vmware/cis/tagging/category HTTP/1.1

vmware-api-session-id: b00db39f948d13ea1e59b4d6fce56389



Powered by Wolken Software