Kaseya Community

VSA API Endpoint - DeleteSession fails on new 9.5.5 release

  • On 9.5.5 , when we make the delete session request we get an error back {"ResponseCode":500,"Status":"Failed","Error":"Invalid session token"} which is working on unpatched versions still.  Usually, that request is a DELETE post request to /api/v1.0/system/users/session that we authorize like any other call and it kills the token.

    Has anyone run into this?  I realize not many use the DeleteSession, but we are an automation/integration tool, so we are very concerned with security and a tidy integration layer, therefore we manage our sessions closely.

    Any validation or help is appreciated!

  • Hey Corey! We can test this for you, but we have had no end of issues with this call in the past. We found that it would terminate all sessions associated with a specific API user that were established from multiple agents, not the specific session associated with the token. We're testing a revamp of our session logic in ITP starting today, so this can easily be added to our test plan. We've got both down-level and current version VSA platforms to test against.

  • Corey,

    I can confirm that this DOES NOT FUNCTION PROPERLY on 9.5.5 latest release.

    I can also confirm that the issue with the Session Terminate call no longer affects all sessions opened by a user. This incorrect behavior was confirmed by Kaseya software engineering team about 15 months ago.

    I can send you my test results, but to summarize - the script:

    1. Authenticates

    2. Query API for data

    3. Terminate session

    4. Query API for same data

    On an older platform, this works as expected and step 4 returns a failure (auth) but on a current patch platform, step 4 works, and step 3 reports 500: Invalid session token as you are seeing.

    This flaw allows the API session token to remain alive and usable until the account inactivity session closes it. Clients with long inactivity sessions would likely be at most risk.

    FYI - We are using the 120-character token in these tests. It would be interesting to try the Delete Session with the short token.

    Request #1946502 was opened with Kaseya support this morning for this issue.