Allowing Jira session to expire without closing browser window can result in redirect to blank page

Issue Summary

For a JSD that uses the local directory and built-in login form, if a user leaves their browser open and takes no action (maintaining a browser session, but not a Jira session), the next action they take (e.g., clicking a link) will result in a redirect to one of JSD’s login pages, but the page will not render, resulting in a blank page.

Steps to Reproduce

To reproduce these steps faster, set Jira’s session-timeout to some small value, like 1 or 2 minutes.

1. Log into an instance of Jira Service Desk (e.g. “/servicedesk/customer/portals”); at the login screen, do not check the “Keep me logged in” checkbox
2. Access some part of Jira Service Desk (an issue view, portal view, etc.)
3. Wait for Jira’s session to expire (optionally, keep an eye on Jira’s security log to know the session has been destroyed)
4. Click a link or refresh the page

Expected Results

User should be redirected to a JSD login page; the login form should render, allowing the user to log back in.

Actual Results

Short version: The user is redirected to the JSD login page, but an error in the rendering of the page results prevents the login form itself from rendering; instead, the user sees a blank page.

Long version / theory:

1. The user is redirected to the JSD login page
2. Since the user’s browser session hasn’t ended, their browser will still hold the previous session’s JSESSIONID cookie, and will send that cookie in the initial set of requests to the login page
3. Some of those requests will be to the /rest/webResources/1.0/resources endpoint; this endpoint responds with a 401 when an invalid JSESSIONID is sent, but the endpoint itself – at least for requests from the login page / for assets required for the login page – doesn’t actually require a Jira session to return a successful response
4. The responses returned by /rest/webResources/1.0/resources are crucial to the continued rendering of the page; once that endpoint responds with a 401, further rendering of the page is blocked, resulting in the blank page

It seems like this is, at some level, a Javascript race condition – in my attempts to grab a screen recording of this bug, I found that I couldn’t reproduce the bug while trying to record the screen, while every attempt to reproduce while the screen wasn’t being recorded resulted in the flow described above.

Workaround

Users can get around this issue by clearing their cookies or restarting their browser (or taking whatever steps are necessary for their particular browser for the current browser session cookies to be considered "expired").

If the JSD service is behind a load balancer or other traffic manager which supports scripting and supports modifying requests before forwarding, such a script can be written which removes the JSESSIONID when:

1. the HTTP method is POST
2. the request path is */rest/webResources/1.0/resources
3. the referer is one of JSD’s login pages (e.g. /servicedesk/customer//login*)