Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
6.6.7
-
2
-
Severity 3 - Minor
-
1
-
Description
Summary
When utilizing Crowd SSO auth to Confluence, the crowd.token_key cookie is not removed if a user's Crowd session is expired.
Steps to Reproduce
- Configure a Crowd Server
- Integrate Confluence with Crowd using the SSO Seraph authenticator
- Authenticate to Confluence as a Crowd user, view browser cookies and observe presence of crowd.token_key cookie
- Forcibly expire the user's session in Crowd
- Wait for the Crowd session.validationinterval value to expire (2 minutes by default)
- Try to load a Confluence page, you should be logged out and redirected to login page
- Refresh and view cookies, observe that the crowd.token_key cookie is still present.
Expected Results
The cookie should be removed from subsequent requests, as it is with Bitbucket.
Actual Results
Cookie persists, and each attempt to load the page before re-authenticating will perform a POST call to the Crowd server for a no-longer extant Crowd session, e.g.:
http://ssotest.private:8095/crowd/rest/usermanagement/1/session/Ew68GQY0DZYVT8W9A0UzDA00 404 - Not Found
Confluence will retry the request 4x+ times before user is redirected to a login page.
Confluence should also remove the cookie when it performs the redirect.
Attachments
Issue Links
- is related to
-
JRASERVER-67639 crowd.token_key not removed if Crowd session is expired
- Gathering Impact
- relates to
-
JRASERVER-67639 crowd.token_key not removed if Crowd session is expired
- Gathering Impact