Showing results for 
Search instead for 
Did you mean: 

HTTP XMLAPI Authentication Problem


Hello I'm not really a Cisco Developer, rather I am tasked to integrate Cisco's Webx to ServiceNow. So far CUCM and RISPort70 has been a breeze to connect and get the information we need, but Endpoints using session based login is causing some confusion.


According to Collaboration Endpoint Software 9.15 to set the session is to get the SessionId but http://<ip-address>/
xmlapi/session/begin responds with SecureClientId in the headers.

I tried both just getting the SecureClientId value and just plugging it on SessionID and straight up using SecureClientID for the Cookie header but I still end up with a 401

5 Replies 5

Raffaele Lagana
Cisco Employee
Cisco Employee

Hello, the sessionId should be part of the Set-Cookie Response Header, do you see it there?

Would look something like: "Set-Cookie: SessionId=f08102c8ce5aaf8fba23a7238
cc2ef464b990e18bfbb7fb048820c0e28955c54; Path=/;

Hello, That's what I expect to see from the response right? But the value of Set-Cookie starts with SessionClientId not SessionId


here's my request (obscured some data for security)

POST /xmlapi/session/begin HTTP/1.1
Host: 10.102.XXX.XX
Authorization: Basic <base64>


here's a response header from 2days ago.(obscured some data for security)

{"Referrer-Policy":["same-origin"],"X-Frame-Options":["SAMEORIGIN"],"Server":["nginx"],"Cache-Control":["no-cache, no-store"],"X-Content-Type-Options":["nosniff"],"Content-Security-Policy":["base-uri 'self'; form-action 'self'; frame-ancestors 'self'; block-all-mixed-content","default-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'self' blob:; img-src 'self' data:"],"Connection":["keep-alive"],"Set-Cookie":["SecureClientId=95cc7c01962fa97207b41614251d57d5140000e686088d0dd1ea21c9f62cXXXX; Path=/web; HttpOnly; secure"],"X-XSS-Protection":["1; mode=block"],"Date":["Thu, 07 Apr 2022 11:05:40 GMT"]}


Ok thanks, just to be sure was the token that's used here one which was authenticated by an admin?

I'm not really sure, they only gave the username/password credentials. weird thing is when we use postman its returning SecureSessionId and it works using this when using it for other api calls.


I only copy pasted the code generated by postman for a quick test but we're still getting SessionClientId

Could you share the code you are using to make this post request outside of postman?  We have been trying to duplicate this but have not been able to so far. 


One strange thing about the response you are receiving is that its showing the path was set to /web (Path=/web) instead of "/xmlapi/session/begin".  I only see this /web path when i try to make a request to the host device without any url path, in that case it does a redirect to /web first.


Also could you confirm if you are being redirected (HTTP 302)to the HTTPS url when testing in postman?

Getting Started

Welcome to the Webex Community. This is your home to ask questions, share knowledge, and attend live webinars.

Recognize Your Peers