Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.6.7
-
7.06
-
2
-
Severity 3 - Minor
-
1
-
Description
Summary
When utilizing Crowd SSO auth to Jira, the crowd.token_key cookie is not removed if a user's Crowd session is expired.
Steps to Reproduce
- Configure a Crowd Server
- Integrate Jira with Crowd using the SSO Seraph authenticator
- Authenticate to Jira as a Crowd user, view browser cookies and observe presence of crowd.token_key cookie
- Forcibly expire the user's session in Crowd
- Wait for the Crowd session.validationinterval value to expire (2 minutes by default)
- Try to load a Jira page, you should be logged out and redirected to login page
- Refresh and view cookies, observe that the crowd.token_key cookie is still present.
Expected Results
The cookie should be removed from subsequent requests, as it is with Bitbucket.
Actual Results
Cookie persists, and each attempt to load the page before re-authenticating will perform a POST call to the Crowd server for a no-longer extant Crowd session, e.g.:
http://ssotest.private:8095/crowd/rest/usermanagement/1/session/Ew68GQY0DZYVT8W9A0UzDA00 404 - Not Found
Jira will retry the POST request 4x+ times before user is redirected to a login page.
Jira should also remove the cookie when it performs the redirect.
Attachments
Issue Links
- is related to
-
CONFSERVER-56149 crowd.token_key not removed if Crowd session is expired
- Gathering Impact
- relates to
-
CONFSERVER-56149 crowd.token_key not removed if Crowd session is expired
- Gathering Impact