JSESSIONID Cookies returned in CRTeamraiserAPI calls don't match existing session (Wordpress)

Jeffrey Kaplan
Jeffrey Kaplan
Tenth Anniversary Participant Facilitator 1
in Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions

We've run into an issue with a Teamraiser straddling Wordpress and LO. The question is: is there a way to defer to existing JSESSIONIDs and not receive new JSESSIONID cookies when making API calls? Could this potentially be solved by including xhrFields: {withCredentials: true } in the calls?


The general walkthrough of the issues is below (platform in square brackets):
  1. [LO] Participant visits site, logs in, is given JSESSIONID A
  2. [LO] Participant clicks link to visit one of the event pages in WordPress
  3. [WP] API calls made on page load
    1. CRConsAPI call made
      1. Purpose is to verify and persist user session information from LO on WP
      2. Methods called are LoginTest
      3. The API call request passes JSESSIONID A
    2. CRTeamraiserAPI call made
      1. Purpose is to populate leaderboards
      2. Methods called are getParticipants, getTeamsByInfo, getCompaniesByInfo
      3. The API Call request does not pass JSESSIONID A
      4. The response passes back a new JSESSIONID B, which now exists alongside JSESSION A in the user's cookies ?
  4. [WP] Participant clicks to return to their Participant Center 2 [LO]
  5. [LO] The participant center doesn't fully load, instead freezing mid loading bar and giving an auth error on an API call in the console. Specifically, JSESSIONID B is scoped by Path to '/CRConsAPI' so it is passed alongside JSESSIONID A in the GetUser method call (as part of the PC3 loading), and breaks the auth match. If JSESSIONID B cookie is deleted and page refreshed then the PC will load.
Note: API Calls are made using luminate extend 1.7.1
Tagged:

Comments

  • Noah Cooper
    Noah Cooper
    Tenth Anniversary Kudos 2 Participant Facilitator 1
    Yes, I'd recommend always setting withCredentials to true on any API request. That is the only way to send cookies in a cross-domain request.


    I'd also make sure that you're using the secure path with both CRConsAPI and CRTeamraiserAPI -- if you are using the non-secure path with CRConsAPI then the secure path with CRTeamraiserAPI, that would also cause the issue you're describing (even if you do set withCredentials on the request).
  • Jeffrey Kaplan
    Jeffrey Kaplan
    Tenth Anniversary Participant Facilitator 1
    Noah Cooper:

    Yes, I'd recommend always setting withCredentials to true on any API request. That is the only way to send cookies in a cross-domain request.


    I'd also make sure that you're using the secure path with both CRConsAPI and CRTeamraiserAPI -- if you are using the non-secure path with CRConsAPI then the secure path with CRTeamraiserAPI, that would also cause the issue you're describing (even if you do set withCredentials on the request).



    Thanks Noah! Setting withCredentials to true fixed the issue.

Categories