h3. Issue Summary

When using the open-source [Jira Python library|https://github.com/pycontribs/jira] to make REST API calls to Jira, if [cookie-based authentication|https://jira.readthedocs.io/examples.html#cookie-based-authentication] is used then Jira’s rate limits will be bypassed. This can result in significant performance impacts due to the inability to limit scripted API requests.

This is reproducible on Data Center: yes
h3. Steps to Reproduce

Configure [rate limiting|https://confluence.atlassian.com/display/ADMINJIRASERVER/Improving+instance+stability+with+rate+limiting] in Jira to allow 1 request per 1 minute with burst size 1.

Configure TRACE level logging for the com.atlassian.ratelimiting package.

Install the [Jira Python library|https://github.com/pycontribs/jira] and repeatedly run the following script, replacing {}JIRA_BASE_URL{}, USERNAME and PASSWORD as appropriate:

{noformat}
import jira

myjira = jira.JIRA(‘https://JIRA_BASE_URL/’,auth=(‘USERNAME’,‘PASSWORD’))

print(myjira.projects()){noformat}

h3. Expected Results

Rate limiting works as configured.
h3. Actual Results

Rate limiting has no effect.

The Jira logs show that the requests made by Python are being treated as UI requests due to the presence of both the JSESSIONID and atlassian.xsrf.token cookies, which then bypasses rate limiting:
{noformat}
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Checking if rate limiting logic needs to be applied to user request: [/rest/api/2/project]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] All request headers: [[host, user-agent, accept, accept-encoding, cache-control, content-type, cookie, x-atlassian-token, x-forwarded-for, x-forwarded-host, x-forwarded-port, x-forwarded-proto, x-forwarded-server, x-real-ip]], UI headers: [{}] (count: 0), UI cookies [{JSESSIONID=[FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF], atlassian.xsrf.token=[FFFF-FFFF-FFFF-FFFF_ffffffffffffffffffffffffffffffffffffffff_lin]}] (count: 2), is UI request: [true]
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.requesthandler.DefaultRateLimitUiRequestHandler] Authorization: no header found
2023-07-06 07:31:30,825+0000 http-nio-8080-exec-21 TRACE anonymous 123x456x7 sessionid 1.2.3.4 /rest/api/2/project [c.a.r.internal.filter.RateLimitFilter] Request has passed rate limiting - continuing on…
{noformat}
h3. Workaround

Configure the Jira Python library to use [token-based authentication|https://jira.readthedocs.io/examples.html#jira-self-hosted-incl-jira-server-data-center] instead of [cookie-based authentication|https://jira.readthedocs.io/examples.html#cookie-based-authentication] - however, this requires the active cooperation of the user running the Python script.