• Severity score: 4.3
• CVSS score: Medium
• Security risk details: Reusing REST API session cookies for a web session bypasses Single Sign-On (SSO) and Multi-Factor Authentication (MFA) controls. This bypass can be an escalation of intended privileges. SSO and MFA controls are important requirements to help prevent unauthorized access to data.

When com.glide.processors.aprocessor.donot_reuse_api_session is set to true:

• API session cookies can no longer be reused to initiate web sessions.
• All web sessions require full authentication (SSO/MFA), regardless of any existing API session.

Potential Breakage:

• Custom integrations, scripts, or legacy workflows that relied on the ability to transition from an API session to a web session without re-authentication will fail.
• Automated processes or tools that previously bypassed SSO/MFA using API session cookies are forced to complete the full authentication flow.
• Users may experience unexpected authentication prompts if their workflows were implicitly relying on this behavior.

Before enabling, customers should review integrations and customizations:

• Audit all integrations, scripts, and tools that interact with the instance via API and web interfaces.
• Identify any that may be relying on session cookie reuse for seamless transitions between API and web sessions.