Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
2.7.2
-
14
-
Severity 3 - Minor
-
12
-
Description
The SSO cookie set by Confluence/Crowd ("crowd.token_key") is set to expire at session end, after the browser is quit.
This disables any and all "Remember me" checkboxes the users check in Confluence and people have to re-login after each browser start.
The token stays in the database, yes, but the cookie set by either crowd or confluence and jira (since they all use the same lib) has a expiry time of "session", meaning the cookie with the token inside is gone as soon as the user closes the browser. This obviously happens in any browser.
The steps to reproduce/see this issue is:
a) Crowd 2.7.2+
b) Confluence using a Crowd dictionary + the SSO authenticator in seraph-config.xml is configured properly:
<authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/>
Any cookie (by default, it's named "crowd.token_key") set when logging in to a) or b) will not have a MaxAge= parameter set. The code to see this is in atlassian-crowd/components/crowd-integration-client-common/*/CrowdHttpTokenHelperImpl.java in line 188/buildCookie(), which generates a standard servlet Cookie that has no MaxAge value set.
As said, the net effect is that SSO sessions are "lost" to the browser as soon as the user restarts his browser, and he has to re-login even if the server side session still persists.