Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16278

"Remember me on this computer" does not work, cookie is not accepted in new session

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • Jenkins 1.498 on Debian Squeeze with Java 1.6.0_26

      As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

      We are using Jenkin's built-in user authentication

          [JENKINS-16278] "Remember me on this computer" does not work, cookie is not accepted in new session

          m_broida added a comment -

          I apologize for not reading the earlier posts in more detail.
          I added the LogRecorder and the logger as described above.
          When I logout and back in, this (among other detail) shows in the log:

          Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices loginSuccess
          Added remember-me cookie for user 'michael.broida', expiry: 'Mon Mar 31 15:49:09 GMT 2014'

          So its set to expire in two weeks: Mar 31 - Mar 17 = 14 days.
          My system time was about 10:49AM (US CDT) and the Jenkins Master node time was: 3:49:09PM (UTC). So those line up correctly: US CDT = UTC-5.
          I see log entries like this one [cleansed], apparently every time I click a Jenkins link:

          Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.RememberMeProcessingFilter doFilter
          SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@f05122ff: Username: org.acegisecurity.userdetails.User@0: Username: michael.broida; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: authenticated, USER, admin; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: [nn.nn.nn.nn]; SessionId: 178z3b1pbslvm1hyjg8qchd6wo; Granted Authorities: authenticated, USER, admin'

          Chrome shows an ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie with same Mar 31 expiration as above.

          We'll see if Jenkins logs me out in the next couple of hours....

          m_broida added a comment - I apologize for not reading the earlier posts in more detail. I added the LogRecorder and the logger as described above. When I logout and back in, this (among other detail) shows in the log: Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices loginSuccess Added remember-me cookie for user 'michael.broida', expiry: 'Mon Mar 31 15:49:09 GMT 2014' So its set to expire in two weeks: Mar 31 - Mar 17 = 14 days. My system time was about 10:49AM (US CDT) and the Jenkins Master node time was: 3:49:09PM (UTC). So those line up correctly: US CDT = UTC-5. I see log entries like this one [cleansed] , apparently every time I click a Jenkins link: Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.RememberMeProcessingFilter doFilter SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@f05122ff: Username: org.acegisecurity.userdetails.User@0: Username: michael.broida; Password: [PROTECTED] ; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: authenticated, USER, admin; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: [nn.nn.nn.nn] ; SessionId: 178z3b1pbslvm1hyjg8qchd6wo; Granted Authorities: authenticated, USER, admin' Chrome shows an ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie with same Mar 31 expiration as above. We'll see if Jenkins logs me out in the next couple of hours....

          m_broida added a comment - - edited

          I had to close the browser/reboot, so expected the cookie to be deleted. It was, so I was logged out.
          Logged into Jenkins again: new cookie good for 14 days from today.
          We'll see how it goes this time...

          LATER: No problem the rest of that day.
          I'll repost the next time Jenkins logs me out WITHOUT closing the browser.

          m_broida added a comment - - edited I had to close the browser/reboot, so expected the cookie to be deleted. It was, so I was logged out. Logged into Jenkins again: new cookie good for 14 days from today. We'll see how it goes this time... LATER: No problem the rest of that day. I'll repost the next time Jenkins logs me out WITHOUT closing the browser.

          m_broida added a comment -

          First login this morning, I did NOT get the ACEGI... cookie. :/
          So I shutdown the browser (set to delete all cookies), and restarted.
          This time the cookie shows up.

          The org.acegisecurity.ui.rememberme log does not go back far enough to show that first login. It does show the second ("Added rmember-me cookie...." same as above.).

          So, I can't tell WHY that first login did not result in a cookie. :/

          m_broida added a comment - First login this morning, I did NOT get the ACEGI... cookie. :/ So I shutdown the browser (set to delete all cookies), and restarted. This time the cookie shows up. The org.acegisecurity.ui.rememberme log does not go back far enough to show that first login. It does show the second ("Added rmember-me cookie...." same as above.). So, I can't tell WHY that first login did not result in a cookie. :/

          m_broida added a comment -

          OK, same thing today: first login did not save the ACEGI... cookie.
          Logged out and back in, and got that cookie. AND it has not logged me out all day.
          So, sounds like "cookie is not accepted" is actually the cause of logouts for me.

          Now, how do I figure out WHY the cookie is not being accepted? (or not being sent)
          Jenkins 1.542 on Windows, using local login authentication (no AD).

          m_broida added a comment - OK, same thing today: first login did not save the ACEGI... cookie. Logged out and back in, and got that cookie. AND it has not logged me out all day. So, sounds like "cookie is not accepted" is actually the cause of logouts for me. Now, how do I figure out WHY the cookie is not being accepted? (or not being sent) Jenkins 1.542 on Windows, using local login authentication (no AD).

          Kim Abbott added a comment -

          So we still have this issue - we have 3 versions of Jenkins installed on 3 different Linux servers, and any time we log into one UI, it logs us out of the other UIs, so we're constantly having to log back in, over and over.  Some other details

          Jenkins 1.  1.608

          Jenkins 2. 2.7.4, running under Apache Tomcat/7.0.53

          Jenkins 3. 2.73, running under Apache Tomcat/9.0.0.M27

           

          I cannot see any instance of cookies created in my Chrome.  I only see JSESSIONID under each 

          Kim Abbott added a comment - So we still have this issue - we have 3 versions of Jenkins installed on 3 different Linux servers, and any time we log into one UI, it logs us out of the other UIs, so we're constantly having to log back in, over and over.  Some other details Jenkins 1.  1.608 Jenkins 2. 2.7.4, running under Apache Tomcat/7.0.53 Jenkins 3. 2.73, running under Apache Tomcat/9.0.0.M27   I cannot see any instance of cookies created in my Chrome.  I only see JSESSIONID under each 

          Hi Kim,

          May I also ask you to set up a logger according to comment https://issues.jenkins-ci.org/browse/JENKINS-16278?focusedCommentId=174193&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-174193 please? It would be great to be sure whether a correct remember me cookie is created, or not.

          Hendrik Millner added a comment - Hi Kim, May I also ask you to set up a logger according to comment https://issues.jenkins-ci.org/browse/JENKINS-16278?focusedCommentId=174193&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-174193 please? It would be great to be sure whether a correct remember me cookie is created, or not.

          Kim Abbott added a comment - - edited

          Thank you Hendrik, I did set up a logger, here is what appears repeatedly from Jenkins 3.

          SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken@edd9cf3c: Username: hudson.security.HudsonPrivateSecurityRealm$Details@7e08bf1b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: <my PC IP>; SessionId: null; Granted Authorities: authenticated'

          And this is the exact same message I get from Jenkins 2.

          The entry from Jenkins 1 though is a bit different - note there is a SessionID value:

          SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@9a1e6431: Username: hudson.security.HudsonPrivateSecurityRealm$Details@305806; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff8868: RemoteIpAddress: <my PC IP>; SessionId: 1sc6t6z8jn1cr2fvqou5qovze; Granted Authorities: authenticated'

           

          Kim Abbott added a comment - - edited Thank you Hendrik, I did set up a logger, here is what appears repeatedly from Jenkins 3. SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken@edd9cf3c: Username: hudson.security.HudsonPrivateSecurityRealm$Details@7e08bf1b; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: <my PC IP>; SessionId: null; Granted Authorities: authenticated' And this is the exact same message I get from Jenkins 2. The entry from Jenkins 1 though is a bit different - note there is a SessionID value: SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@9a1e6431: Username: hudson.security.HudsonPrivateSecurityRealm$Details@305806; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff8868: RemoteIpAddress: <my PC IP>; SessionId: 1sc6t6z8jn1cr2fvqou5qovze; Granted Authorities: authenticated'  

          This shows that your authentication is retained by the session ID cookie, at least if it is not null. Does this message look different after you were kicked out from the system? Please check the log on the Jenkins instance, you were kicked out of. Actually, you should be re-authenticated by your session ID cookie, at least as long as you do not close your browser, or any add-on deletes the cookie. Do you have simultaneous session ID cookies for all of your Jenkins instances in your browser, after you logged in into all instances? Or only one cookie for the last instance, you logged into? The session ID cookies expire only when you close your browser.

          Anyways, the different Jenkins instances should not be able to influence each other in you browser, especially if they are hosted on different servers. Do you route the Jenkins UIs through one and the same web server, so that the cookies from the different instances may collide (e.g. http://myserver/jenkins1/ and http://myserver/jenkins2/) ?

          Hendrik Millner added a comment - This shows that your authentication is retained by the session ID cookie, at least if it is not null. Does this message look different after you were kicked out from the system? Please check the log on the Jenkins instance, you were kicked out of. Actually, you should be re-authenticated by your session ID cookie, at least as long as you do not close your browser, or any add-on deletes the cookie. Do you have simultaneous session ID cookies for all of your Jenkins instances in your browser, after you logged in into all instances? Or only one cookie for the last instance, you logged into? The session ID cookies expire only when you close your browser. Anyways, the different Jenkins instances should not be able to influence each other in you browser, especially if they are hosted on different servers. Do you route the Jenkins UIs through one and the same web server, so that the cookies from the different instances may collide (e.g. http://myserver/jenkins1/ and  http://myserver/jenkins2/) ?

          Kim Abbott added a comment -

          So, I am now noticing that it appears that I'm only running into an issue when I attempt to stay logged into the older Jenkins 1 alongside one of the newer Jenkins 2/3.  Lately appears that if I'm only trying to stay logged into either Jenkins 2/3 I stay logged in, but I can't maintain a login with Jenkins 1 and Jenkins 2/3.

          Kim Abbott added a comment - So, I am now noticing that it appears that I'm only running into an issue when I attempt to stay logged into the older Jenkins 1 alongside one of the newer Jenkins 2/3.  Lately appears that if I'm only trying to stay logged into either Jenkins 2/3 I stay logged in, but I can't maintain a login with Jenkins 1 and Jenkins 2/3.

          I am sorry, I cannot help you without further and deeper insight into your system (browser/ server). It seems you have a problem with the Jenkins cookies in general, not with the remember me token in particular.

          Hendrik Millner added a comment - I am sorry, I cannot help you without further and deeper insight into your system (browser/ server). It seems you have a problem with the Jenkins cookies in general, not with the remember me token in particular.

            lime Hendrik Millner
            lime Hendrik Millner
            Votes:
            29 Vote for this issue
            Watchers:
            34 Start watching this issue

              Created:
              Updated:
              Resolved: