Loading...

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 10.1.0, 9.2.9
Affects Version/s: 9.2.7, 8.5.25
Component/s: CONF DoS
Labels:

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy
EWT (CtB, RtB, DP):
CtB - Improve Existing

Issue Summary

Steps to Reproduce

Install Confluence v9.2.x and Crowd v6.3.x
Configure Confluence as an application on Crowd and add users
Configure Confluence to use Crowd's Authenticator to enable SSO and configure SSOSeraphAuthenticator in <confluence-install>/confluence/WEB-INF/classes/seraph-config.xml to use Crowd as centralized session manager.

Login to Confluence with a Crowd user, close the tab and wait for Confluence and Crowd session timeout.
Browse the page again, you will be redirected to Confluence login page
1. Confluence will receive the Crowd session cookie from end-user browser and send session validation request to Crowd. Upon receiving unknown session 404 Confluence will redirect user to login page.

Fast test parameters

Set session timeout to 2 minutes on Confluence.

Set <confluence-install>/confluence/WEB-INF/classes/crowd.properties file with 0 session validation interval
- session.validationinterval 0
Set Crowd Session duration to 3 minutes on Crowd Administration > Session configuration

Expected Results

Confluence should not check session validation for each HTTP request in the login page after getting 404 Unknown Session from Crowd

Actual Results

Confluence makes multiple HTTP REST API Calls as Session Validation request to Crowd for every HTTP request, totalling a big number for a single login page.

The below logs are from Crowd DC access logs that showing requests coming from Confluence for the same timed out session.

--- BEFORE CLOSING THE TAB ---
[13/Aug/2025:11:37:05 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 504 200 http-nio-6631-exec-16 - connie

--- AFTER CLOSING THE TAB AND WAITING FOR 3 MINS TO REOPEN IT ---

[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 13 141 404 http-nio-6631-exec-6 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 12 147 404 http-nio-6631-exec-20 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 12 147 404 http-nio-6631-exec-17 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 13 147 404 http-nio-6631-exec-3 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 12 147 404 http-nio-6631-exec-11 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 13 147 404 http-nio-6631-exec-22 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 15 147 404 http-nio-6631-exec-24 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-19 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 17 147 404 http-nio-6631-exec-18 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 17 147 404 http-nio-6631-exec-16 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 19 147 404 http-nio-6631-exec-8 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 13 147 404 http-nio-6631-exec-7 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 14 147 404 http-nio-6631-exec-14 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 15 147 404 http-nio-6631-exec-9 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-21 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-1 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-10 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 19 147 404 http-nio-6631-exec-2 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 21 147 404 http-nio-6631-exec-23 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 28 147 404 http-nio-6631-exec-4 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 39 147 404 http-nio-6631-exec-15 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 25 147 404 http-nio-6631-exec-13 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 25 147 404 http-nio-6631-exec-25 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 23 147 404 http-nio-6631-exec-5 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 25 147 404 http-nio-6631-exec-12 - connie
[13/Aug/2025:11:41:01 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 22 147 404 http-nio-6631-exec-6 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 21 147 404 http-nio-6631-exec-20 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-17 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 23 147 404 http-nio-6631-exec-6 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 21 147 404 http-nio-6631-exec-11 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 28 147 404 http-nio-6631-exec-24 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-19 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 23 147 404 http-nio-6631-exec-18 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 34 147 404 http-nio-6631-exec-22 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 27 147 404 http-nio-6631-exec-16 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-8 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-7 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-14 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 24 147 404 http-nio-6631-exec-16 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 23 147 404 http-nio-6631-exec-1 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 23 147 404 http-nio-6631-exec-21 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 17 147 404 http-nio-6631-exec-2 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-10 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-4 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 19 147 404 http-nio-6631-exec-23 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 17 147 404 http-nio-6631-exec-5 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-25 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-13 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 21 147 404 http-nio-6631-exec-15 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-12 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 17 147 404 http-nio-6631-exec-20 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 14 147 404 http-nio-6631-exec-17 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 25 147 404 http-nio-6631-exec-3 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 18 147 404 http-nio-6631-exec-6 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-11 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 14 147 404 http-nio-6631-exec-24 - connie
[13/Aug/2025:11:41:02 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 27 147 404 http-nio-6631-exec-19 - connie
[13/Aug/2025:11:41:12 +0200] Apache-HttpClient/4.5.14 (Java/17.0.15) 127.0.0.1 POST /crowd/rest/usermanagement/1/session/HRvDsw3AOpeM-E6qJqjPWQAAAAAAAgABdGVzdDky HTTP/1.1 16 147 404 http-nio-6631-exec-22 - connie

Workaround

This is intended as Confluence is configured to check session validation from remote Crowd.

Currently there is no known workaround for this behavior. A workaround will be added here when available

is resolved by: KRAK-8084 Loading...

links to

KRAK-8040

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

People

Dates