-
Bug
-
Resolution: Fixed
-
Medium (View bug fix roadmap)
-
4.2
-
None
-
r124669
-
4.02
-
Steps:
1. Login to JIRA.
2. Goto Admin-> Custom fields.
3. Select any custom field and click on "Configure".
4. Click on "Edit default value".
5. Now from the the other tab on same browser, logout to timeout the session.
6. Now user click "OK" to set the value in first tab.
7. As the session is timeout, user is ask to login again. User enter the valid user/pwd.
Result:
1. JIRA fails with null pointer exception. Log file is attached.
- is duplicated by
-
-
- Closed
-
- is related to
-
-
- Closed
-
- relates to
-
JRASERVER-21800 Adding a comment to issue times out when I have it open in my browser
- Closed
[JRASERVER-22667] JIRA loses posted parameters if you are timed out or log off in another window, so when you are redirected after logging in, you may receive a stacktrace due to missing params
To clarify, the issue described here is about losing POST parameters during a redirect chain. This only happens when your are POSTing to paths that are protected by Seraph using role-based security (currently any path under /secure/admin/*) so a fix for this is unlikely to help doc kaos's users.
Furthermore, it only affects users that:
1) have not used JIRA for over 5 hours and had not checked "Remember my login on this computer" when they logged in, or
2) have logged out of JIRA in another tab
Ignoring (2) for obvious reasons, the severity of this bug is pretty low. It essentially affects admins who leave a tab open for >5 hours and don't use JIRA during that time. I propose we:
- Suppress the Seraph redirect after POST. No good can possibly come out of redirecting to the login page and then redirecting back to the original POST url minus all the POST parameters (you will either get a useless "XSRF token missing" page with no form content, or an exception as described above). Instead we can show a "you have been logged out" page.
- Change the text in our "session expired" page to teach users to click "Remember my login" when they next log in. This way when they first see they page they are more likely to tick the checkbox and never have to worry about lost params again.
Disabling XSRF token validation would not help at all with this problem.
Hi Ken,
The issue you mentioning is seems to be related to XSRF token which is introduced in JIRA from 4.1 onwards. If user is login with "remember me" checked in, then after session timeout, user get an option to retry and form get submitted with data. Please refer to http://confluence.atlassian.com/display/JIRA041/JIRA+4.1+Release+Notes#JIRA4.1ReleaseNotes-XSRFprotection for more info. You can disable XSRF protection for your JIRA instance, the information is same is at http://confluence.atlassian.com/display/JIRA041/Form+Token+Handling#FormTokenHandling-TurningoffFormTokenChecking. Please let us if the issue is not related to XSRF.
Thanks
veenu
Ken Roland
added a comment - This has been driving me crazy. Since we just updated from 3.11 to 4.2 I am getting a FLOOD of users saying they are constantly being logged out as they comment, modify issues. But they all work with JIRA open in multiple tabs in Chrome. e.g.: A developer opens a tab for each issue they are working on that day/week/whatever, QA opens a tab for various bugs they are closing ... then when they actually try to do work in one tab, some other tab has logged them out! Brutal! Voted and watching!
Ken Roland
added a comment - This has been driving me crazy. Since we just updated from 3.11 to 4.2 I am getting a FLOOD of users saying they are constantly being logged out as they comment, modify issues. But they all work with JIRA open in multiple tabs in Chrome. e.g.: A developer opens a tab for each issue they are working on that day/week/whatever, QA opens a tab for various bugs they are closing ... then when they actually try to do work in one tab, some other tab has logged them out! Brutal! Voted and watching! 
Orlando Hernandez
added a comment - Taking the last comment into account, the action has been XSRF protected in JRADEV-3189, so the stack trace is gone. The user will see the behaviour described for XSRF protected POSTS.
Orlando Hernandez
added a comment - Taking the last comment into account, the action has been XSRF protected in JRADEV-3189, so the stack trace is gone. The user will see the behaviour described for XSRF protected POSTS. Orlando Hernandez
added a comment - I have investigated this and this is a but of a generic problem with forms that get submitted via POST to the server. There are two cases.
POSTs that are not XSRF protected:
If such a form gets submitted after the session has timed out, the user will be redirected by seraph to the login page and after the user logs in the action is executed but the post parameters have been lost. The behaviour after this will depend on the strength of the validation of URL parameters done on the server side. Worst case scenario, a NPE can be thrown like in case this because an object was constructed using a null URL parameter and we ended up calling a method on a null reference.
XSRF Protected posts:
Seraph doesn't preserve the url parameters, but the XSRF Check mechanism kicks in before the action command is executed and therefore you get a session expired form token not found style of message. The bad thing is that you won't be able to retry the operation because the POST parameters were dropped by Seraph which is kinda irritating for the user.
From this we can see that the proper fix is having seraph preserve post parameters so that the user is able to continue with the operation when his session has timed out.
I actually think this is sort of a feature and we should do it as story work.
Orlando Hernandez
added a comment - I have investigated this and this is a but of a generic problem with forms that get submitted via POST to the server. There are two cases.
POSTs that are not XSRF protected:
If such a form gets submitted after the session has timed out, the user will be redirected by seraph to the login page and after the user logs in the action is executed but the post parameters have been lost. The behaviour after this will depend on the strength of the validation of URL parameters done on the server side. Worst case scenario, a NPE can be thrown like in case this because an object was constructed using a null URL parameter and we ended up calling a method on a null reference.
XSRF Protected posts:
Seraph doesn't preserve the url parameters, but the XSRF Check mechanism kicks in before the action command is executed and therefore you get a session expired form token not found style of message. The bad thing is that you won't be able to retry the operation because the POST parameters were dropped by Seraph which is kinda irritating for the user.
From this we can see that the proper fix is having seraph preserve post parameters so that the user is able to continue with the operation when his session has timed out.
I actually think this is sort of a feature and we should do it as story work.
If you do this today you will get this: