Details
-
Bug
-
Resolution: Answered
-
Low
-
3.5.4, 3.8.0, 4.0.0
-
Severity 3 - Minor
-
Description
Problem
Closing a browser ends the user session. When the user re-opens the browser and accesses Crucible, there is no login prompt and Crucible treats it like an authenticated user. Any page loads after the initial will result in the user being directed to the login page.
Steps to Reproduce
- Have Crucible integrated with Crowd SSO
- Log into Crucible with an user from Crowd
- Close the web browser
- Re-open the web browser
- Checking the cookies, the crowd token is gone
- Access Crucible, notice that it returns data as if the user is logged in
- Easier to confirm if anonymous access is disabled
- Reload the page or access a separate Crucible page
- User is redirected back to login page
Cause
When the web browser is closed, the Crowd token is cleared, but the not the remember cookie. It seems that this cookie is used for some checks, making Crucible still return data even if not logged in:
- Attached 2 screenshots of what we see before closing the browser and what we see right after opening the browser (before accessing Crucible).
- Note that browser is not configured to re-open previous sessions
- When access Crucible for the first time, the headers look like this:
Request Header Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Connection keep-alive Cookie crucibleprefs1="D%3D1423697357467"; remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601 Host localhost:8060 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0 Response Header Cache-Control private Content-Encoding gzip Content-Language en-US Content-Length 9239 Content-Type text/html;charset=UTF-8 Expires Thu, 01 Jan 1970 00:00:00 GMT Server Jetty(8.1.10.v20130312) Set-Cookie remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601;Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT;HttpOnly crucibleprefs1="D%3D1423697370050";Path=/;Expires=Thu, 11-Feb-2016 23:29:30 GMT FESESSIONID=1t7gkorlrltasczw2z0qgg2se;Path=/;HttpOnly atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b;Path=/ Vary Accept-Encoding, User-Agent X-ASESSIONID 16q2zjr X-AUSERNAME crowdadmin X-UA-Compatible IE=Edge
- Notice the the cookie: remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
- Crucible treats this like a logged in user and displays the Crucible page
- When reloading the page, the headers change:
Request Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding gzip, deflate Accept-Language en-US,en;q=0.5 Cache-Control max-age=0 Connection keep-alive Cookie crucibleprefs1="D%3D1423697370427"; FESESSIONID=1t7gkorlrltasczw2z0qgg2se; atl.xsrf.token.slash=102cc2c85a7162c9e479c2c2cbe39e99d1c2cb6b Host localhost:8060 User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0 Response Content-Encoding gzip Content-Language en-US Content-Length 9415 Content-Type text/html;charset=UTF-8 Server Jetty(8.1.10.v20130312) Vary Accept-Encoding, User-Agent X-ASESSIONID 16q2zjr X-AUSERNAME anonymous X-UA-Compatible IE=Edge - The remember cookie is gone and user is directed to the login page.
Attachments
Issue Links
- is related to
-
CRUC-7588 Disable remember me option
- Closed
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
SER-218 Reduce the default rememberme/autologin cookie expiry from one year to two weeks
-
- Closed
-