Details
-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
2.8.3, 2.9.1
-
8
-
Severity 2 - Major
-
11
-
Description
Problem:
Crowd doesn't remove the "Remember me" cookies: seraph.confluence,
seraph.rememberme.cookie and _atl_bitbucket_remember_me when you logout from applications that are connected to it and using SSO. Given that, if you close the browser and open it again, you are already logged in.
For JIRA Data Center and Bitbucket Data Center, you have the option to check the "Remember me" option as outlined in the following screenshots:
So this problem only happens when the Rememer me option is checked.
However, for Confluence Data Center , the "Remember me" option is hidden:
When that option is hidden, the "Remember me" token seraph.rememberme.cookie is set by default (value="true"):
#if ($action.shouldRememberMeCheckboxBeOmitted())
<input type="hidden" name="os_cookie" value="true"/>
#else
#bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end
#end
This is designed this way because data center relies on that cookie seraph.confluence to distribute the load between the nodes.
One thing to note is that seraph.confluence cookie is only generated if when you open the browser and login through Confluence. If you login through any other application, that cookie is not generated.
How to test this:
Test One:
- Open Chrome and go to Settings > show advanced settings > clear browsing data and clear everything from the beginning of times
- Now, open Confluence and login
- Check your browser's cookies ((Settings > show advanced settings > content settings > All cookies and site data)). The seraph.confluence cookie is set for your domain (localhost, on my tests)
- Now, login to JIRA
- Logout from JIRA and close the browser
- Open the browser again and check your cookies again. The seraph.confluence is still there
- Open Confluence. Since the seraph.confluence cookie still exists, you are not asked to login to Confluence (not the expected behavior)
Test Two:
- Close all tabs and clear your browser's cache: Settings > show advanced settings > clear browsing data and clear everything from the begging of times
- Login to JIRA
- Open a new tab and open Confluence, you should be automatically logged in.
- Check your browser's cookies ((Settings > show advanced settings > content settings > All cookies and site data)). The seraph.confluence cookie is not there
- Logout from JIRA
- Close the browser
- Open the browser again and try to login to Confluence. Since the seraph.confluence cookie doesn't exist, you will be asked as expected to login to Confluence
Proposed Fix:
When logging out of applications that are using SSO, all cookies (including the "Remember Me") ones should be cleared as well.
