Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-52421

Synchrony will sometimes return Set-Cookie headers if using XHR fallback mode

    XMLWordPrintable

    Details

      Description

      NOTE: This issue does not affect instances which use the internal synchrony proxy. This means most non data center instances running 6.2.1+ should not be affected. See -CONFSERVER-52393- for details .

      If using XHR fallback mode, synchrony will sometimes return headers like the following. "Set-Cookie: JSESSIONID=dummy". This will cause the current user to be logged out.

      Steps to reproduce

      You will likely need a proxy to reproduce this bug - the internal synchrony proxy is not suitable as it has been patched.

      1. Setup Synchrony and Confluence on the same domain and port. Confluence must be configured to run on the root of the domain. ie http://localhost:8080/
      2. Disable websockets so that Confluence will use XHR fallback mode
      3. Logout and clear all cookies
      4. Add a random cookie via the console
        document.cookie = "this.is.important=false;"
        
      1. Login to confluence and edit a page
      2. Notice the xhr and xhr_send requests return a Set-Cookie header which consequently log you out

      Possible Workarounds

      • Use the internal proxy
      • Filter out Set-Cookie headers at the external proxy
      • Rename the Session cookie tomcat uses as shown in Option 2 section

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                29 Vote for this issue
                Watchers:
                27 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  1 year, 37 weeks, 4 days ago