• Type: Bug
• Resolution: Fixed
• Priority: High
• Fix Version/s: 3.3.6, 3.4.5
• Affects Version/s: 3.3.0, 3.4.0
• Component/s: None
• Labels:

  None

1. 

   tokenkey.png

   57 kB

   30/Jan/2019 3:00 PM

[CWD-5352] session.tokenkey value randomly generated with quotes causing login issues to applications

Monique Khairuliana (Inactive) made changes - 19/Aug/2019 8:01 AM

Epic Link

Original: CWD-4704 [ 600140 ]

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:06 AM

Workflow	Original: Simplified Crowd Development Workflow v2 - restricted [ 3092712 ]	New: JAC Bug Workflow v3 [ 3365579 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Collapse comment: GaryM added a comment - 24/May/2019 10:47 AM

GaryM added a comment - 24/May/2019 10:47 AM

Hershan, It seemed to depend on the length of the username . Our test show 21-chars don't generate an '=', but 20-chars long does, 19-chars does.
I think from memory it went something like NO, NO, YES for 19,20,21 as a username length and repeats that pattern.

Expand comment: GaryM added a comment - 24/May/2019 10:47 AM

GaryM added a comment - 24/May/2019 10:47 AM Hershan, It seemed to depend on the length of the username . Our test show 21-chars don't generate an '=', but 20-chars long does, 19-chars does. I think from memory it went something like NO, NO, YES for 19,20,21 as a username length and repeats that pattern.

Collapse comment: Heshan Manamperi added a comment - 24/May/2019 4:24 AM

Heshan Manamperi added a comment - 24/May/2019 4:24 AM

 using Crowd 3.1.2 over HTTPS, but I don't see above given token pattern in cookies. DO you know why is that? 

Expand comment: Heshan Manamperi added a comment - 24/May/2019 4:24 AM

Heshan Manamperi added a comment - 24/May/2019 4:24 AM  using Crowd 3.1.2 over HTTPS, but I don't see above given token pattern in cookies. DO you know why is that? 

SET Analytics Bot made changes - 24/May/2019 12:51 AM

UIS

Original: 241

New: 262

Collapse comment: Craig Castle-Mead added a comment - 23/May/2019 3:45 PM

Craig Castle-Mead added a comment - 23/May/2019 3:45 PM

Confirming that 3.4.5 has resolved this issue for us - thanks for the fix team Crowd!

Expand comment: Craig Castle-Mead added a comment - 23/May/2019 3:45 PM

Craig Castle-Mead added a comment - 23/May/2019 3:45 PM Confirming that 3.4.5 has resolved this issue for us - thanks for the fix team Crowd!

Mareusz (Inactive) made changes - 23/May/2019 12:21 PM

Resolution		New: Fixed [ 1 ]
Status	Original: In Progress [ 3 ]	New: Resolved [ 5 ]

Bugfix Automation Bot made changes - 23/May/2019 10:01 AM

Support reference count

Original: 12

New: 13

Robert Chang made changes - 22/May/2019 5:09 PM

Description

Original: h3. Issue Summary session.tokenkey value sometimes generated with quotes h3. Environment  * Crowd 3.3.3  * Confluence any version h3. Steps to Reproduce  # Connect Confluence and Crowd with SSO  # Login to Confluence as Crowd users  # Go to Browser Console, to check the session cookies generated h3. Expected Results Session.tokenkey (or crowd.token_key) value will not have quotes h3. Actual Results Session.tokenkey (or crowd.token_key) values will have quotes when an _equal_(=) sign exist in the token  !tokenkey.png|thumbnail!  (i) Looking into the HAR file, the token with quotes will have 1 pair of quotes being _escaped_ that look something like this: {code:java}               "name": "crowd.token_key",               "value": "\"xxxxxxxxxxxxxxxxx=\"", {code} h3. Notes  * This issue not seen without SSO  * This issue does not exists in Crowd version 3.2.5 h3. Workaround  * As the Token is being generated randomly, the affected user can try to *Log Out* and *re-Log In* again to get a new token generated.  * (!) There are still chances that after re-logging the user still get another token with an _equal_(=) symbol in it and hitting into the same issue

New: h3. Issue Summary session.tokenkey value sometimes generated with quotes. This can impact the SSO experience by unexpectedly overwriting cookies h3. Environment  * Crowd 3.3.3  * Confluence any version h3. Steps to Reproduce  # Connect Confluence and Crowd with SSO  # Login to Confluence as Crowd users  # Go to Browser Console, to check the session cookies generated h3. Expected Results Session.tokenkey (or crowd.token_key) value will not have quotes h3. Actual Results Session.tokenkey (or crowd.token_key) values will have quotes when an _equal_(=) sign exist in the token  !tokenkey.png|thumbnail!  (i) Looking into the HAR file, the token with quotes will have 1 pair of quotes being _escaped_ that look something like this: {code:java}               "name": "crowd.token_key",               "value": "\"xxxxxxxxxxxxxxxxx=\"", {code} h3. Notes  * This issue not seen without SSO  * This issue does not exists in Crowd version 3.2.5 h3. Workaround  * As the Token is being generated randomly, the affected user can try to *Log Out* and *re-Log In* again to get a new token generated.  * (!) There are still chances that after re-logging the user still get another token with an _equal_(=) symbol in it and hitting into the same issue

SET Analytics Bot made changes - 22/May/2019 12:43 AM

UIS

Original: 201

New: 241

Load more older events