-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
2.8.3, 2.9.1
-
9
-
Severity 2 - Major
-
9
-
Problem:
Crowd doesn't remove the "Remember me" cookies: seraph.confluence,
seraph.rememberme.cookie and _atl_bitbucket_remember_me when you logout from applications that are connected to it and using SSO. Given that, if you close the browser and open it again, you are already logged in.
For JIRA Data Center and Bitbucket Data Center, you have the option to check the "Remember me" option as outlined in the following screenshots:
So this problem only happens when the Rememer me option is checked.
However, for Confluence Data Center , the "Remember me" option is hidden:
When that option is hidden, the "Remember me" token seraph.rememberme.cookie is set by default (value="true"):
#if ($action.shouldRememberMeCheckboxBeOmitted()) <input type="hidden" name="os_cookie" value="true"/> #else #bodytag( "Component" "label='remember.accesskey'" "name='os_cookie'" "value='false'" "theme='aui'" "template='onofflist.vm'") #end #end
This is designed this way because data center relies on that cookie seraph.confluence to distribute the load between the nodes.
One thing to note is that seraph.confluence cookie is only generated if when you open the browser and login through Confluence. If you login through any other application, that cookie is not generated.
How to test this:
Test One:
- Open Chrome and go to Settings > show advanced settings > clear browsing data and clear everything from the beginning of times
- Now, open Confluence and login
- Check your browser's cookies ((Settings > show advanced settings > content settings > All cookies and site data)). The seraph.confluence cookie is set for your domain (localhost, on my tests)
- Now, login to JIRA
- Logout from JIRA and close the browser
- Open the browser again and check your cookies again. The seraph.confluence is still there
- Open Confluence. Since the seraph.confluence cookie still exists, you are not asked to login to Confluence (not the expected behavior)
Test Two:
- Close all tabs and clear your browser's cache: Settings > show advanced settings > clear browsing data and clear everything from the begging of times
- Login to JIRA
- Open a new tab and open Confluence, you should be automatically logged in.
- Check your browser's cookies ((Settings > show advanced settings > content settings > All cookies and site data)). The seraph.confluence cookie is not there
- Logout from JIRA
- Close the browser
- Open the browser again and try to login to Confluence. Since the seraph.confluence cookie doesn't exist, you will be asked as expected to login to Confluence
Proposed Fix:
When logging out of applications that are using SSO, all cookies (including the "Remember Me") ones should be cleared as well.
[CWD-4749] Inconsistent SSO behavior when using Data Center
We have setup Crowd Data Center (3.7.1) with SSO 2.0 for Bitbucket Server, 2 Jira Server instances, and 2 Confluence Server instances.
If we login to any of the services the login is successful, and changing service address to another service will take the user to the service - as expected.
But if the (logged-in) user does logout from JIRA, Confluence or Bitbucket AND the user goes to any of the login pages of the services, the user is able to make login without credentials. I.e. SSO session is still on, even the user has done logout.
If the user makes the logout in Crowd application, then the SSO session is terminated and the next login to any of the Atlassian services require credentials.
Additional notes, this applies also in the case when only one browser tab is used. I.e. no sessions in other tabs are open and the user don't check "remember me".
I'm not sure if this is really the same case as in this issue, but according to Atlassian support it is, so I'm adding my comments to this, and of course hoping to get a fix for this as soon as possible.
Bamboo DC 8.2.5 is also setting the remember me token seraph.bamboo automatically when authenticated in this manner.