Details
-
Bug
-
Resolution: Fixed
-
Low
-
6.3
-
6.03
-
Description
The root of the JIRA web application (e.g. "/" or "/foo/" or whatever the context path is) is a redirect to /secure/MyJiraHome.jspa (and then typically the Dashboard.jspa). However, we create a session in default.jspa (which serves the root) if one is absent.
This is never necessary, and sometimes causes the following problem with poorly configured front-end proxies:
- Tomcat sets the path= of the JSESSIONID cookie to the context path, with a trailing slash e.g. "path=/foo/"
- If the browser goes to "/foo" (with no trailing slash) then they are not supposed to send the JSESSIONID cookie because it is not properly under "/foo/". FireFox does send it, but not of the other browsers do.
- If Tomcat sees a request to "/foo" it will redirect to "/foo/" and not pass the request to JIRA.
- If the proxy is misconfigured, it may accept "/foo" from the browser (with no cookie) and send it as "/foo/" to JIRA.
- JIRA will then create a new JSESSIONID, overwriting the old one in the browser.
This manifest as your session being dropped (e.g. getting logged out) whenever you access "/foo" (with no slash). There are various places that send you to the base url without a slash (e.g. the login gadget).
Attachments
Issue Links
- clones
-
JDEV-29281 Loading...
- mentioned in
-
Page Loading...