For security reasons, requests using HTTP Basic Authentication cannot include cookies POST,CURL

Notsileous
New Member
2 0 7

I have a group of PHP scripts that interact with a handful of stores that sell our product. I import the orders, update tracking, and feed our inventory. These are all private apps that only run on our server. 

Out of nowhere today, I started getting this error "{"errors":"For security reasons, requests using HTTP Basic Authentication cannot include cookies."}" when trying to use any POST requests (update tracking, inventory), I get this error.

I have no cookies that I am aware of, this is the CURL request for tracking:

$curl = curl_init();
            curl_setopt_array($curl,[
                CURLOPT_URL => $shopURL,
                CURLOPT_RETURNTRANSFER=>1,
                CURLOPT_CUSTOMREQUEST => 'POST',
                CURLOPT_HTTPHEADER=>array(
                    "Content-Type: application/json",
                    "accept: application/json"
                ),
                CURLOPT_POSTFIELDS=>$dataString
            ]);
            //perform request
            $result = curl_exec($curl);

Did something change? I can not find any changelog entries hinting at this, it just started for me around 11am EST 1/5/2020.

Replies 22 (22)
Nicholas_Piasec
Shopify Partner
17 0 3

Yes, I think I just started seeing this too around 11 a.m. The server is responding with a 301 (which our code follows implicitly) that takes you to a weird login page. I can see the same cookie message in Postman, but the cookies dialog is empty and as far as I'm aware, no cookies are being sent.

briant1
New Member
1 0 0

Me too, I ran a similar test with postman and have the same result. 

BBrands
New Member
2 0 1

Can confirm we're getting this as well as of approximately 11am EST

nouti
New Member
1 0 3

I just had a confirmation from a Shopify Plus support agent that there is an issue with Admin API since around 2 hours.

 

See attached chat capture :

Screenshot 2021-01-05 at 18.24.13.png

Notsileous
New Member
2 0 7

Well thank god it is not just me, is there an outlet for reporting these issues?

ryantkelly
Excursionist
12 0 10

I'm seeing it as well. The replies for Shopify Support on Twitter are lit up with this issue.

grwthgrp
Shopify Partner
4 0 1
Brad_Coates
Tourist
3 0 2
Greg_Kujawa
Shopify Partner
1020 83 262

This issue now appears on the Shopify status page --> https://www.shopifystatus.com/incidents. Definitely a kink in the Matrix.

DanAtBonify
Shopify Partner
35 3 15

Yep, unable to POST to metafields or customers. Getting back and HTML page instead of the typical API JSON response.

Paddy_O_Farrell
Tourist
12 0 4

Seeing the same here, working for months until about 2 hours ago, I was head scratching to see if I'd missed an API update that broke my code. I'm getting: "Error: For security reasons, requests using HTTP Basic Authentication cannot include cookies." - this was working fine, its resulting from trying to create a Customer (with metafields) via PHP

Greg_Kujawa
Shopify Partner
1020 83 262

The status page indicates it's up again now. Haven't tried it yet, but that's what it says at least...

Paddy_O_Farrell
Tourist
12 0 4

Just tried it there, and its working now again for me, thanks to whomever sorted it out!

ryantkelly
Excursionist
12 0 10
etrolmos
Shopify Partner
22 1 5

I'm curious if this was a future change accidentally rolled out too soon (and since reverted), thus I will need to make changes to my code at some point anyways?

For OP, something like this should clear out the cookies before a request:

curl_setopt( $ch, CURLOPT_COOKIELIST, 'ALL' );

But I'm not sure if the API did pass a Set-Cookie header, and the no-cookies rule was then being randomly enforced by the API, or what happened since it resolved before I could collect enough data from this inherited app.

parkerjm
Tourist
16 0 3

The weird thing is that shopify said they made this change back in 2017:

https://community.shopify.com/c/Shopify-APIs-SDKs/POST-to-admin-orders-json-returns-301-Moved-Perman...

https://community.shopify.com/c/API-Announcements/Shopify-now-prevents-HTTP-Basic-Auth-POST-requests...

I am guessing there was some code released that was incorrectly falsely flagging every request as having cookies, because the requests we were sending certainly did not have cookies but were still getting 301 redirected.

etrolmos
Shopify Partner
22 1 5

Thanks. I noticed that too for the change in 2017.

This private app didn't have explicit code to clear any cookies before the next API request, so I wasn't certain if it was possibly sending a cookie it received from the Shopify API, or not.

It has the code now to clear out any cookies before each request in the mean time, which hopefully is fine until this app can be rebuilt.

 

express-eint
New Member
1 0 0

We have experienced the same issue on 12th Jan from 2.15.45 pm to 2:32:20 pm EST .Has anyone also experienced the same ?

parkerjm
Tourist
16 0 3

I did not see this issue on the 12th personally