For security reasons, requests using HTTP Basic Authentication cannot include cookies POST,CURL

Notsileous
Visitor
2 0 7

I have a group of PHP scripts that interact with a handful of stores that sell our product. I import the orders, update tracking, and feed our inventory. These are all private apps that only run on our server. 

Out of nowhere today, I started getting this error "{"errors":"For security reasons, requests using HTTP Basic Authentication cannot include cookies."}" when trying to use any POST requests (update tracking, inventory), I get this error.

I have no cookies that I am aware of, this is the CURL request for tracking:

$curl = curl_init();
            curl_setopt_array($curl,[
                CURLOPT_URL => $shopURL,
                CURLOPT_RETURNTRANSFER=>1,
                CURLOPT_CUSTOMREQUEST => 'POST',
                CURLOPT_HTTPHEADER=>array(
                    "Content-Type: application/json",
                    "accept: application/json"
                ),
                CURLOPT_POSTFIELDS=>$dataString
            ]);
            //perform request
            $result = curl_exec($curl);

Did something change? I can not find any changelog entries hinting at this, it just started for me around 11am EST 1/5/2020.

Replies 22 (22)

Nicholas_P
Shopify Partner
30 3 24

Yes, I think I just started seeing this too around 11 a.m. The server is responding with a 301 (which our code follows implicitly) that takes you to a weird login page. I can see the same cookie message in Postman, but the cookies dialog is empty and as far as I'm aware, no cookies are being sent.

briant1
Visitor
1 0 0

Me too, I ran a similar test with postman and have the same result. 

Notsileous
Visitor
2 0 7

Well thank god it is not just me, is there an outlet for reporting these issues?

ryantkelly
Excursionist
12 0 12

I'm seeing it as well. The replies for Shopify Support on Twitter are lit up with this issue.

grwthgrp
Shopify Partner
4 0 1

Happening for us as well.

Brad_Coates
Tourist
3 0 2

Yup, status page finally updated reporting this issue: https://www.shopifystatus.com

Gregarican
Shopify Partner
1033 86 285

This issue now appears on the Shopify status page --> https://www.shopifystatus.com/incidents. Definitely a kink in the Matrix.

DanAtBonify
Shopify Partner
54 4 32

Yep, unable to POST to metafields or customers. Getting back and HTML page instead of the typical API JSON response.

Paddy_O_Farrell
Tourist
12 0 4

Seeing the same here, working for months until about 2 hours ago, I was head scratching to see if I'd missed an API update that broke my code. I'm getting: "Error: For security reasons, requests using HTTP Basic Authentication cannot include cookies." - this was working fine, its resulting from trying to create a Customer (with metafields) via PHP

Gregarican
Shopify Partner
1033 86 285

The status page indicates it's up again now. Haven't tried it yet, but that's what it says at least...

Paddy_O_Farrell
Tourist
12 0 4

Just tried it there, and its working now again for me, thanks to whomever sorted it out!

ryantkelly
Excursionist
12 0 12

Working for me as well again.

etrolmos
Shopify Partner
23 1 5

I'm curious if this was a future change accidentally rolled out too soon (and since reverted), thus I will need to make changes to my code at some point anyways?

For OP, something like this should clear out the cookies before a request:

curl_setopt( $ch, CURLOPT_COOKIELIST, 'ALL' );

But I'm not sure if the API did pass a Set-Cookie header, and the no-cookies rule was then being randomly enforced by the API, or what happened since it resolved before I could collect enough data from this inherited app.

parkerjm
Tourist
16 0 3

The weird thing is that shopify said they made this change back in 2017:

https://community.shopify.com/c/Shopify-APIs-SDKs/POST-to-admin-orders-json-returns-301-Moved-Perman...

https://community.shopify.com/c/API-Announcements/Shopify-now-prevents-HTTP-Basic-Auth-POST-requests...

I am guessing there was some code released that was incorrectly falsely flagging every request as having cookies, because the requests we were sending certainly did not have cookies but were still getting 301 redirected.

etrolmos
Shopify Partner
23 1 5

Thanks. I noticed that too for the change in 2017.

This private app didn't have explicit code to clear any cookies before the next API request, so I wasn't certain if it was possibly sending a cookie it received from the Shopify API, or not.

It has the code now to clear out any cookies before each request in the mean time, which hopefully is fine until this app can be rebuilt.

 

express-eint
Visitor
1 0 0

We have experienced the same issue on 12th Jan from 2.15.45 pm to 2:32:20 pm EST .Has anyone also experienced the same ?

parkerjm
Tourist
16 0 3

I did not see this issue on the 12th personally

Commaxx
Visitor
1 0 0

We are recently experiencing this issue for the first time. Thus far we only had it with post requests to the `/fulfillments.json` endpoint. We don't get errors on every request.

 

We double checked and determined that we don't send any cookies with the request. The issue occurred the last few days at the following times:

09-06-2021 16:37:54 CEST

09-06-2021 16:38:31 CEST

09-06-2021 19:23:33 CEST

09-06-2021 19:25:20 CEST

10-06-2021 07:39:10 CEST

10-06-2021 07:39:55 CEST

10-06-2021 08:56:17 CEST

 

WPD
Visitor
2 0 1

Got same issue

FaithCapo
Visitor
1 0 0

Same issue 9/9/2021 when posting product images to /admin/api/2021-07/products/xxx/images.json

BBrands
Visitor
2 0 1

Can confirm we're getting this as well as of approximately 11am EST

nouti
Visitor
1 0 3

I just had a confirmation from a Shopify Plus support agent that there is an issue with Admin API since around 2 hours.

 

See attached chat capture :

Screenshot 2021-01-05 at 18.24.13.png