Details
-
Bug
-
Resolution: Fixed
-
Medium
-
6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.1.2, 6.1.3, 6.1.4, 6.2.2, 6.2.3, 6.3.2
-
30
-
Severity 2 - Major
-
36
-
Description
NOTE: This issue does not affect instances which use the internal synchrony proxy. This means most non data center instances running 6.2.1+ should not be affected. See -CONFSERVER-52393
If using XHR fallback mode, synchrony will sometimes return headers like the following. "Set-Cookie: JSESSIONID=dummy". This will cause the current user to be logged out.
Steps to reproduce
You will likely need a proxy to reproduce this bug - the internal synchrony proxy is not suitable as it has been patched.
- Setup Synchrony and Confluence on the same domain and port. Confluence must be configured to run on the root of the domain. ie http://localhost:8080/
- Disable websockets so that Confluence will use XHR fallback mode
- Logout and clear all cookies
- Add a random cookie via the console
document.cookie = "this.is.important=false;"
- Login to confluence and edit a page
- Notice the xhr and xhr_send requests return a Set-Cookie header which consequently log you out
Possible Workarounds
- Use the internal proxy
- Filter out Set-Cookie headers at the external proxy
- Rename the Session cookie tomcat uses as shown in Option 2 section
Attachments
Issue Links
- causes
-
-
- Closed
-