AJS.conglomerate.cookie can be written with invalid data that prevents other Atlassian applications from logging in.

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 5.0.3
    • Affects Version/s: 5.0.1
    • Component/s: None
    • Environment:
      • Reproduced with Chrome and FireFox
    • 5

      • Run JIRA under "/jira" context (http://localhost:8080/jira)
      • Go to UPM (plugin manager) and switch to install tab.
      • Logout and login to JIRA

      Actual: The AJS.conglomerate.cookie is saved under "/" (root context) with a value similar to:

      __utma=111872281.2081964729.1332130805.1332130805.1332130805.1; __utmz=111872281.1332130805.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); AJS.conglomerate.cookie="||||||upm.tab=install; JSESSIONID=4D26AF92A8827231F3BAF4B7387DD6F2

      Notice the missing closing quote in the value.

      Now, attempt to login to Confluence running on http://localhost:8090. This cookie will be sent to confluence as well (since it is saved in root) and the application will fail to authenticate the user

      Screen recording: http://screencast.com/t/6GwtrTAw

      Notes:

      • I am uncertain if the cookie will be set to this wrong value just by visiting this install tab (you might have to play a little with UPM to arrive at this state)
      • We have confirmed that if the closing quote is added to the cookie, user is able to login successfully to Confluence.

            Assignee:
            metapoint
            Reporter:
            Federico Silva Armas [Atlassian]
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: