Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16278

"Remember me on this computer" does not work, cookie is not accepted in new session

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • core
    • Jenkins 1.498 on Debian Squeeze with Java 1.6.0_26

      As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

      We are using Jenkin's built-in user authentication

          [JENKINS-16278] "Remember me on this computer" does not work, cookie is not accepted in new session

          Hendrik Millner created issue -
          Hendrik Millner made changes -
          Description Original: As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue. New: As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

          We are using Jenkin's built-in user authentication
          Jesse Glick made changes -
          Link New: This issue is blocking SECURITY-49 [ SECURITY-49 ]

          Same Problem occurred in my side...
          What's the latest status for this topic?!

          Bao Xiaopan(Bob) added a comment - Same Problem occurred in my side... What's the latest status for this topic?!

          Timo Leinonen added a comment -

          We are experiencing the same issue, but on the LTS version 1.480.2

          Timo Leinonen added a comment - We are experiencing the same issue, but on the LTS version 1.480.2
          Hendrik Millner made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]

          commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java:
          String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey());

          This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used:
          String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);

          I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature.

          Any comments?

          Hendrik Millner added a comment - commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java: String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey()); This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used: String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key); I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature. Any comments?
          Hendrik Millner made changes -
          Assignee New: Hendrik Millner [ lime ]

          Jesse Glick added a comment -

          Jesse Glick added a comment - https://github.com/jenkinsci/jenkins/pull/673

          would love to see this pull request in the LTS version, as this affected too.

          Martin Scherer added a comment - would love to see this pull request in the LTS version, as this affected too.

            lime Hendrik Millner
            lime Hendrik Millner
            Votes:
            29 Vote for this issue
            Watchers:
            34 Start watching this issue

              Created:
              Updated:
              Resolved: