Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-52421

Synchrony will sometimes return Set-Cookie headers if using XHR fallback mode

XMLWordPrintable

      NOTE: This issue does not affect instances which use the internal synchrony proxy. This means most non data center instances running 6.2.1+ should not be affected. See -CONFSERVER-52393- for details .

      If using XHR fallback mode, synchrony will sometimes return headers like the following. "Set-Cookie: JSESSIONID=dummy". This will cause the current user to be logged out.

      Steps to reproduce

      You will likely need a proxy to reproduce this bug - the internal synchrony proxy is not suitable as it has been patched.

      1. Setup Synchrony and Confluence on the same domain and port. Confluence must be configured to run on the root of the domain. ie http://localhost:8080/
      2. Disable websockets so that Confluence will use XHR fallback mode
      3. Logout and clear all cookies
      4. Add a random cookie via the console 
        document.cookie = "this.is.important=false;"
      1. Login to confluence and edit a page
      2. Notice the xhr and xhr_send requests return a Set-Cookie header which consequently log you out

      Possible Workarounds

      • Use the internal proxy
      • Filter out Set-Cookie headers at the external proxy
      • Rename the Session cookie tomcat uses as shown in Option 2 section

        1. CONFSERVER-52421.har
          416 kB

            [CONFSERVER-52421] Synchrony will sometimes return Set-Cookie headers if using XHR fallback mode

            Julien L. added a comment - - edited

            Currently I circumvent the problem by filtering the cookies returned by the application at the Apache reverse proxy level with this rule:

            Header edit Set-Cookie "^(.*?)JSESSIONID=dummy;(.*)$" $1$2

            Julien L. added a comment - - edited Currently I circumvent the problem by filtering the cookies returned by the application at the Apache reverse proxy level with this rule: Header edit Set-Cookie "^(.*?)JSESSIONID=dummy;(.*)$" $1$2

            Matt Fox added a comment - - edited

            This still affects Confluence 6.4.1. We use XHR because our install is behind a Sophos UTM Web Application Firewall that doesn't support websockets. It's also behind Apache doing TLS. Shaw's fix above worked for us.

            This affected a very specific subset of clients, but I wan't able to determine what was common between affected clients. One user affected 100% of the time in Chrome, but in some other browsers (Firefox I think) he wasn't affected.

            We also saw other symptoms less severe than being completely logged out:

            1. Pasting images into a page editor would not work. After Ctrl-V, a dialog would appear saying "Your session has expired. You may need to re-submit the form or reload the page." However we could continue to edit the page, other than pasting images.
            2. When adding links to a page, the "Recently viewed" section of the dialog was always empty.

            Both these issues have been resolved after renaming the Confluence session cookie.

            Matt Fox added a comment - - edited This still affects Confluence 6.4.1. We use XHR because our install is behind a Sophos UTM Web Application Firewall that doesn't support websockets. It's also behind Apache doing TLS. Shaw's fix above worked for us. This affected a very specific subset of clients, but I wan't able to determine what was common between affected clients. One user affected 100% of the time in Chrome, but in some other browsers (Firefox I think) he wasn't affected. We also saw other symptoms less severe than being completely logged out: Pasting images into a page editor would not work. After Ctrl-V, a dialog would appear saying "Your session has expired. You may need to re-submit the form or reload the page." However we could continue to edit the page, other than pasting images. When adding links to a page, the "Recently viewed" section of the dialog was always empty. Both these issues have been resolved after renaming the Confluence session cookie.

            Steve Shaw added a comment -

            My customer was on 6.1.2 using xhr fallback and had a proxy.  Also, we found only one JSESSIONID cookie whereas https://jira.atlassian.com/browse/CONFSERVER-52393 mentioned that there would be multiple instances.  To resolve, customer successfully implemented the following:

            Add the sessionCookieName attribute to the <Context> element in <install>/conf/context.xml:
            {code}
            <Context sessionCookieName="CONFLUENCESESSIONID">
            {code}

            Steve Shaw added a comment - My customer was on 6.1.2 using xhr fallback and had a proxy.  Also, we found only one JSESSIONID cookie whereas https://jira.atlassian.com/browse/CONFSERVER-52393  mentioned that there would be multiple instances.  To resolve, customer successfully implemented the following: Add the sessionCookieName attribute to the <Context> element in <install>/conf/context.xml: {code} <Context sessionCookieName="CONFLUENCESESSIONID"> {code}

              mfedoryshyn Maksym Fedoryshyh
              zgilovitz Ze'ev (Inactive)
              Affected customers:
              29 This affects my team
              Watchers:
              26 Start watching this issue

                Created:
                Updated:
                Resolved: