Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-52421

Synchrony will sometimes return Set-Cookie headers if using XHR fallback mode




      NOTE: This issue does not affect instances which use the internal synchrony proxy. This means most non data center instances running 6.2.1+ should not be affected. See -CONFSERVER-52393- for details .

      If using XHR fallback mode, synchrony will sometimes return headers like the following. "Set-Cookie: JSESSIONID=dummy". This will cause the current user to be logged out.

      Steps to reproduce

      You will likely need a proxy to reproduce this bug - the internal synchrony proxy is not suitable as it has been patched.

      1. Setup Synchrony and Confluence on the same domain and port. Confluence must be configured to run on the root of the domain. ie http://localhost:8080/
      2. Disable websockets so that Confluence will use XHR fallback mode
      3. Logout and clear all cookies
      4. Add a random cookie via the console
        document.cookie = "this.is.important=false;"
      1. Login to confluence and edit a page
      2. Notice the xhr and xhr_send requests return a Set-Cookie header which consequently log you out

      Possible Workarounds

      • Use the internal proxy
      • Filter out Set-Cookie headers at the external proxy
      • Rename the Session cookie tomcat uses as shown in Option 2 section


          Issue Links



              • Votes:
                29 Vote for this issue
                27 Start watching this issue


                • Created:
                  Last commented:
                  1 year, 37 weeks, 4 days ago