· Jul 24, 2023

REST Service uses CSP license session after Upgrade from Caché to IRIS

After installing IRIS 2023.1 on a live copy of our production machine our REST Service now consumes a CSP Session with every request. The request is handled as expected, but uses one of the 5 CSP Session per license. So after 25 requests, the license is used up. The Grace time always shows 0 and the session stay for very long. (Maybe the 900 Seconds timeout). 
On Caché 2018, we had the same settings for the Webapp and there, only a single Session was set for all requests. The Caché request didn't use any cookies. 
Here we also used  $system.License.PublicWebAppUser() which I think is not available in IRIS

Postman sends the same request as the browser but with a session cookie set automatically. This only consumes one session as in Caché. I want to replicate this behaviour in the browser.

Sending the XMLHttpRequest from the browser, does not include the cookie, and therefore it always uses a new session.
My google search only yielded the answer, that you cannot manually set cookies for XMLHttpRequests because of security reasons.

When doing the requests with the synchronous CSP Broker Method from cspHttpServerMethod, only a single session is used because the session cookie is sent. 
This however also uses XMLHttpRequest and is able to send the request with a session cookie. However I couldn't find how the function did this?

How is the cspHttpServerMethod using the session Cookie and how would I implement it in a request such as this:

 return new Promise((resolve, reject) => {
      let xhttp = new XMLHttpRequest();'POST', [URL], true);
      xhttp.setRequestHeader('Content-type', 'text/plain, charset=ISO-8859-1');
         var Para=...


- REST checked
- Dispatch class set 
- GroupByID set
- No authentication checked
- Timeout 900
- Cookie use : Always, Path set, strict, strict

Dispatch class:
Parameter HandleCorsRequest = 1; Parameter UseSession As Interger = 1;

Product version: IRIS 2023.1
$ZV: IRIS for Windows (x86-64) 2023.1.1 (Build 380U) Fri Jul 7 2023 23:43:12 EDT
Discussion (7)3
Log in or sign up to continue

We had the same issue after upgrading from Ensemble and got around it by doing a session login and end session explicitly in the handler method in our REST Dispatcher class.

For example:

ClassMethod PatientHandler(pId As %String = "") As %Status
set sc = %session.Login("rest_user","",1) 

// ...... Rest of the method code  ....

set %session.EndSession = 1

quit sc 


InterSystems enforced SOAP/REST licensing but may have removed it.
In the InterSystems IRIS® Upgrade Checklist (2023.1) you can see in the Google cached webpage:

DP-417320: Enforce SOAP/REST licensing

Category: Licensing
Platforms: All
Version: 2023.1.0

In previous versions, the product did not enforce the SOAP/REST licensing rules.

With this version, we are now enforcing those licensing rules. Each authenticated SOAP/REST request will be licensed as a concurrent user (with multiple connections allowed). Unauthenticated requests (i.e. $Username = "UnknownUser") will be counted as independent user connections and subject to a 10-second minimum connection time.

Maybe you can try again with a more recent release or rework your app to use authenticated users.

This text mentions that requests will be treated as concurrent users with multiple connections. This would be totally fine, if I managed to send the SessionID Cookie so the system recognizes multiple requests coming from the same user. 

However, each request is treated as a new user, as I am unable to send the cookie with XMLHttpRequests whereas the CSP.Broker Method is able to send the Cookie.