Uploaded image for project: 'Crucible'
  1. Crucible
  2. CRUC-7130

Crucible does not clear all Tokens when Browser is Closed

XMLWordPrintable

      Problem
      Closing a browser ends the user session. When the user re-opens the browser and accesses Crucible, there is no login prompt and Crucible treats it like an authenticated user. Any page loads after the initial will result in the user being directed to the login page.

      Steps to Reproduce

      • Have Crucible integrated with Crowd SSO
      • Log into Crucible with an user from Crowd
      • Close the web browser
      • Re-open the web browser
        • Checking the cookies, the crowd token is gone
      • Access Crucible, notice that it returns data as if the user is logged in
        • Easier to confirm if anonymous access is disabled
      • Reload the page or access a separate Crucible page
      • User is redirected back to login page

      Cause
      When the web browser is closed, the Crowd token is cleared, but the not the remember cookie. It seems that this cookie is used for some checks, making Crucible still return data even if not logged in:

      • Attached 2 screenshots of what we see before closing the browser and what we see right after opening the browser (before accessing Crucible).
        • Note that browser is not configured to re-open previous sessions
      • When access Crucible for the first time, the headers look like this: 
        Request Header
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding	gzip, deflate
Accept-Language	en-US,en;q=0.5
Connection	keep-alive
Cookie	crucibleprefs1="D%3D1423697357467"; remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
Host	localhost:8060
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0

Response Header
Cache-Control	private
Content-Encoding	gzip
Content-Language	en-US
Content-Length	9239
Content-Type	text/html;charset=UTF-8
Expires	Thu, 01 Jan 1970 00:00:00 GMT
Server	Jetty(8.1.10.v20130312)
Set-Cookie	remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601;Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT;HttpOnly crucibleprefs1="D%3D1423697370050";Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT FESESSIONID=1t7gkorlrltasczw2z0qgg2se;Path=/;HttpOnly atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b;Path=/
Vary	Accept-Encoding, User-Agent
X-ASESSIONID	16q2zjr
X-AUSERNAME	crowdadmin
X-UA-Compatible	IE=Edge
      • Notice the the cookie: remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
      • Crucible treats this like a logged in user and displays the Crucible page
      • When reloading the page, the headers change: 
        Request
Accept	text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding	gzip, deflate
Accept-Language	en-US,en;q=0.5
Cache-Control	max-age=0
Connection	keep-alive
Cookie	crucibleprefs1="D%3D1423697370427"; FESESSIONID=1t7gkorlrltasczw2z0qgg2se; atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b
Host	localhost:8060
User-Agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0

Response
Content-Encoding	gzip
Content-Language	en-US
Content-Length	9415
Content-Type	text/html;charset=UTF-8
Server	Jetty(8.1.10.v20130312)
Vary	Accept-Encoding, User-Agent
X-ASESSIONID	16q2zjr
X-AUSERNAME	anonymous
X-UA-Compatible	IE=Edge
      • The remember cookie is gone and user is directed to the login page.

        1. before closing browser.png
          before closing browser.png
          84 kB
        2. re-opening browser.png
          re-opening browser.png
          42 kB

              Unassigned Unassigned
              468d4a2c90d7 David Mahoney
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: