diff --git a/apps/authentication/api/session.py b/apps/authentication/api/session.py
index 37d4f82b5..eff7b1678 100644
--- a/apps/authentication/api/session.py
+++ b/apps/authentication/api/session.py
@@ -55,14 +55,14 @@ class UserSessionApi(generics.RetrieveDestroyAPIView):
 
     def retrieve(self, request, *args, **kwargs):
         if isinstance(request.user, AnonymousUser):
-            return Response(status=status.HTTP_200_OK)
+            return Response(status=status.HTTP_403_FORBIDDEN)
 
         UserSessionManager(request).connect()
-        return Response(status=status.HTTP_200_OK)
+        return Response(status=status.HTTP_200_OK, data={'ok': True})
 
     def destroy(self, request, *args, **kwargs):
         if isinstance(request.user, AnonymousUser):
-            return Response(status=status.HTTP_200_OK)
+            return Response(status=status.HTTP_403_FORBIDDEN)
 
         UserSessionManager(request).disconnect()
-        return Response(status=status.HTTP_204_NO_CONTENT)
+        return Response(status=status.HTTP_200_OK, data={'ok': True})
diff --git a/apps/common/api/common.py b/apps/common/api/common.py
index 988e85361..76d925743 100644
--- a/apps/common/api/common.py
+++ b/apps/common/api/common.py
@@ -97,7 +97,7 @@ class ResourcesIDCacheApi(APIView):
 
 
 class CountryListApi(APIView):
-    permission_classes = (AllowAny,)
+    permission_classes = (IsValidUser,)
 
     def get(self, request, *args, **kwargs):
         return Response(COUNTRY_CALLING_CODES)
diff --git a/apps/common/management/commands/check_api.py b/apps/common/management/commands/check_api.py
index 5dff77a9d..f8de10f08 100644
--- a/apps/common/management/commands/check_api.py
+++ b/apps/common/management/commands/check_api.py
@@ -34,6 +34,10 @@ def parse_to_url(url):
     url = url.replace('(?P<format>[a-z0-9]+)', '')
     url = url.replace('((?P<terminal>[/.]{36})/)?', uid + '/')
     url = url.replace('(?P<pk>[/.]+)', uid)
+    url = url.replace('(?P<label>.*)', uid)
+    url = url.replace('(?P<res_type>.*)', '1')
+    url = url.replace('(?P<name>[\\w.@]+)', '')
+    url = url.replace('<str:name>', 'zh-hans')
     url = url.replace('\.', '')
     url = url.replace('//', '/')
     url = url.strip('$')
@@ -70,7 +74,9 @@ known_unauth_urls = [
     "/api/v1/authentication/login-confirm-ticket/status/",
     "/api/v1/authentication/mfa/select/",
     "/api/v1/authentication/mfa/send-code/",
-    "/api/v1/authentication/sso/login/"
+    "/api/v1/authentication/sso/login/",
+    "/api/v1/authentication/user-session/",
+    "/api/v1/settings/i18n/zh-hans/"
 ]
 
 known_error_urls = [
diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py
index 288d839eb..4eb3093fd 100644
--- a/apps/terminal/permissions.py
+++ b/apps/terminal/permissions.py
@@ -9,7 +9,14 @@ __all__ = ['IsSessionAssignee']
 
 class IsSessionAssignee(permissions.IsAuthenticated):
     def has_permission(self, request, view):
-        return True
+        if not request.user:
+            return False
+        if request.user.is_anonymous:
+            return False
+        if view.action == 'retrieve':
+            # Why return True? please refer to the issue: #11678
+            return True
+        return False
 
     def has_object_permission(self, request, view, obj):
         try: