Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
2.4.1
-
None
-
None
Description
CrowdHttpTokenHelperImpl.java:67 searches for the Crowd SSO token in cookies presented with the request. It does this by iterating over the cookies and exiting on the first cookie of the right name. This means that if two cookies with the same name - but different domains - are present, the one that Crowd tests is arbitrary.
Crowd should either:
1. search cookies in order from longest domain to shortest (so more specific tokens override less specific ones)
OR
2. return a set of SSO tokens to test rather than just one (so that override behaviour is controlled higher up).
This is a pretty esoteric bug, requiring different crowd servers servicing different overlapping domain namespaces (in my case, a test Crowd instance handling requests from tank.sydney.atlassian.com, and the global Crowd instance handling .atlassian.com)