Setting authentication cookie manually in Postman

Question

I authenticate in Postman by sending a POST request to an api endpoint (https) with my credentials included. The response sets two cookies.

Set-Cookie →atlassian.xsrf.token=AGH6-ZEXS-8CED-D3BW|96bac852b72xxx42042593f13axxxxe7f3ff1d5f|lout;path=/;Secure
Set-Cookie →JSESSIONID=8C53xxx0xxxx46B4A5201A68C098604DF08;path=/;Secure;HttpOnly

I click the 'Cookies' button in Postman and see that these two cookies are saved. When I now send a GET request to a secured page, I get authenticated and receive the expected response.

However, I need to do this programatically, so I try to set the cookies manually by adding a header to the request, using the same values I got in the original response.

Cookie: atlassian.xsrf.token=AGH6-ZEXS-8CED-D3BW|5xxxxxxxxba42582fb230ac7d7416e81204|lout;JSESSIONID=7AFxxxxxxxx27A461A01C193C57D

I also delete the cookies saved in Postman.

Now, my request gets redirected to a login-screen, as I apparently did not get authenticated.

What is the difference between my first and second GET request? How can I make sure the request is authenticated correctly?

Answer 1

Sorry for the late reply. In your first GET, postman will send the JSESSIONID to your server. You're already authenticated so the request will be obviously accepted. But for the second one, you don't provide the JSESSIONID cookie and more important your JSESSIONID is not associated to a living Http Session.