Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-7130

Crucible does not clear all Tokens when Browser is Closed

    XMLWordPrintable

    Details

      Description

      Problem
      Closing a browser ends the user session. When the user re-opens the browser and accesses Crucible, there is no login prompt and Crucible treats it like an authenticated user. Any page loads after the initial will result in the user being directed to the login page.

      Steps to Reproduce

      • Have Crucible integrated with Crowd SSO
      • Log into Crucible with an user from Crowd
      • Close the web browser
      • Re-open the web browser
        • Checking the cookies, the crowd token is gone
      • Access Crucible, notice that it returns data as if the user is logged in
        • Easier to confirm if anonymous access is disabled
      • Reload the page or access a separate Crucible page
      • User is redirected back to login page

      Cause
      When the web browser is closed, the Crowd token is cleared, but the not the remember cookie. It seems that this cookie is used for some checks, making Crucible still return data even if not logged in:

      • Attached 2 screenshots of what we see before closing the browser and what we see right after opening the browser (before accessing Crucible).
        • Note that browser is not configured to re-open previous sessions
      • When access Crucible for the first time, the headers look like this:
        Request Header
        Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Encoding	gzip, deflate
        Accept-Language	en-US,en;q=0.5
        Connection	keep-alive
        Cookie	crucibleprefs1="D%3D1423697357467"; remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
        Host	localhost:8060
        User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
        
        Response Header
        Cache-Control	private
        Content-Encoding	gzip
        Content-Language	en-US
        Content-Length	9239
        Content-Type	text/html;charset=UTF-8
        Expires	Thu, 01 Jan 1970 00:00:00 GMT
        Server	Jetty(8.1.10.v20130312)
        Set-Cookie	remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601;Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT;HttpOnly crucibleprefs1="D%3D1423697370050";Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT FESESSIONID=1t7gkorlrltasczw2z0qgg2se;Path=/;HttpOnly atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b;Path=/
        Vary	Accept-Encoding, User-Agent
        X-ASESSIONID	16q2zjr
        X-AUSERNAME	crowdadmin
        X-UA-Compatible	IE=Edge
        
      • Notice the the cookie: remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
      • Crucible treats this like a logged in user and displays the Crucible page
      • When reloading the page, the headers change:
        Request
        Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Encoding	gzip, deflate
        Accept-Language	en-US,en;q=0.5
        Cache-Control	max-age=0
        Connection	keep-alive
        Cookie	crucibleprefs1="D%3D1423697370427"; FESESSIONID=1t7gkorlrltasczw2z0qgg2se; atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b
        Host	localhost:8060
        User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0
        
        Response
        Content-Encoding	gzip
        Content-Language	en-US
        Content-Length	9415
        Content-Type	text/html;charset=UTF-8
        Server	Jetty(8.1.10.v20130312)
        Vary	Accept-Encoding, User-Agent
        X-ASESSIONID	16q2zjr
        X-AUSERNAME	anonymous
        X-UA-Compatible	IE=Edge
        
      • The remember cookie is gone and user is directed to the login page.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mahoney2 David Mahoney
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: