Crowd has session timeout https://confluence.atlassian.com/display/CROWD/Session+Configuration
Is this time the same?
How you expect "remember me" to work?

https://github.com/jenkinsci/crowd2-plugin/blob/71e87644a84da733aca367258008121150352ef3/src/main/java/de/theit/jenkins/crowd/CrowdRememberMeServices.java#L108

Remember me works only for SSO, but i not sure how it should change session timeout.

I was thinking that if I'm using Crowd just for password validation - and not for full session management, that jenkins would create it's own session cookie that didn't expire. Yes, it's bypassing the session timeout settings from Crowd server, but seems like that should be an option.

I don't use SSO with Crowd on any other services, but I don't have to log in every time with jira/confluence/crucible/etc. I did recently increase some session numbers though, so will have to see if that has any effect on jenkins session lifetime.

Crowd handle authorizations and their security. Jenkins mustn't cache passwords imho.
I want check only two things:

• whether browser can store password and probably then "remember me" can do "autologin"
• probably SSO != "remember me"

Wait, are you saying that the normal remember me is to SAVE THE PASSWORD?! That would be horrible. No remember me implementation should be done that way.

I think remember me should just be setting cookie lifetime (and whether they last for more than one browser session) for the jenkins session cookies. It already has to have a cookie for tracking whether you're logged in or not - just make that "session" persistent over the max lifetime for remember-me.

The only negative of this is that it would not be "aware" of the crowd session limitation, in which case, you could have jenkins periodically re-ask crowd if the users session is still valid, or limit the max 'remember me' lifetime to whatever the session expiration limit is from crowd server.

I think you should just have a simple "make the session cookie expire in NNNNN minutes if remember-me is selected" checkbox on the crowd plugin", which I think would be equivalent to a normal login.

Your cookie timeout configured in Crowd. How you want authorize if it expires in i.e. 30 minutes?

In my environment, I don't have any crowd cookies since I'm not doing SSO. If you mean the crowd 'session' lifetime, not familiar enough with the details. For the most part, I don't limit the lifetimes to anything short, so in my case, I'd want it to just operate as it does now, but instead of setting cookie with the 'this session only' configuration, set it to have a expiration of 'N days'.

That's how all the Atlassian apps operate when SSO isn't enabled - my session never expires as long as long as I don't delete the cookie.

So what session timeout do you have in crowd https://confluence.atlassian.com/display/CROWD/Session+Configuration ?

It was set to 1440 (24 hours), but raised it to a large number for diagnostic purposes - had no effect.

Behavior right now is very clear:

Log in to jenkins
Close browser
Open browser
Not logged into jenkins any more

What browser do you use? Could you try in both: chrome and firefox (also clean cookies before)?

Hi, that one is still open and I can verify the issue. What can I do to help?

Setup:

• Crowd 2.5.0
• SSO Cookie disabled
• Session Timeout >10000

Pull Request fix. Jenkins can't use JSESSIONID TTL cookie, it can use only "remember me" cookie/routine + servlet filters. Also i don't see ways to control cookies TTLs. So "remember me" button not used at all (it can be disabled only in latest jenkins version afair). As i understand you should be logged after close/open browser, because token from crowd is still alive, and seems this part doesn't work.

Initial author mapped autologin to rememberme functionality from servletfilter. ServletFilter should be reworked and auth bean should be checked, rememberme class should be removed at all so jenkins will use core rememberme functionality. Like it was fixed in latest ldap plugin.

Could you try new 1.8 version?

Just deployed 1.8. No longer generates an exception.

Note - it doesn't actually "remember me", but at least it doesn't crash.

Yep, I can confirm this.

1) List cookies for your jenkins. I have ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE that marked as Expired on +14 days
2) add org.acegisecurity.ui.rememberme to jenkins logging (in "manage jenkins"->"System logging")
3) close browser
4) open browser and go to jenkins, without loggin check what cookies exist (at firefox ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE disappeared)
5) navigate to jenkins log and check messages...

And again, what browser do you use?

Using chrome (34.0.1847.137 on linux x86_64)

I see the same ACEGI and a JSESSIONID.<hash>

No output in that log after adding it and closing browser, logging back in.

Personally, the lack of remember me is an annoyance, but at least it's not crashing the page.

Could you join to IRC freenode.net on #jenkins channel it will be easier for me to compare configurations?
And again, crash was only when you checked "remember me" auth was working.

Results of testing refactored plugin: remember me works, need implement SSO auth part and test it.

Regarding the refactored version, may I check a "pre-release" again?

Next week I will add SSO part and then provide new version for testing.

Any update on this? Would sure be nice to have my users stop complaining about their login sessions randomly being lost on Jenkins.

Hi, i stuck with SSO integration. But aheritier promised to help with this change and then we will add caching mechanism for groups.

I promised and I'll do ...

Hi there, it would be really great if this could be done We've got users who have to log in to Jenkins several times per day because of this issue.

Please let me know if you need any help with testing/development, etc.

Thanks!

integer and aheritier, does it make sense to assign this to aheritier for now? Would it also make sense to "Stop Progress" on this until there is sufficient time to tackle the issue? Also, have there been any code reviews or code changes checked in publicly (say, on a branch) yet? Perhaps others can help by leveraging what has already been coded.

Will be glad for somebody's help, refactored state in PR and requires only single SSO resolution, also described how to test.

Hi there,

We have a setup with multiple Jenkins instances with Crowd2 plugin 1.8 and a pretty old Crowd 2.4.2.
On some servers (most are Windows server 2008 or Windows server 2012 based) this problem occurs.
Some servers are running in a different domain than where Crowd is hosted.

With Jenkins 1.609.3 I sometimes have to login every 2-3 minutes.
With Jenkins 1.609.1 I got this on every server I had. With Jenkins 1.609.3 it seems to depend on some other factor.

This however could very well be more related to https://issues.jenkins-ci.org/browse/JENKINS-22775

Has there been any progress in resolving this issue?

Is this plugin still alive, There is no commit since 3 years? There are three open pull requests on GitHub and one refactoring branch with a lot of work already done, but never merged into master branch. We'd really appreciate any progress. If there is any chance to help, I would love to. Maybe it's a good idea to open the plugin for adoption?

integer, is there any workaround how to increase session timeout if the "remember me" doesn't work with crowd2 plugin?

Removing the assignee according to https://groups.google.com/forum/#!topic/jenkinsci-dev/sFejhRvZiIM

hi pingunaut , what is the status of the plugin now? Any chance to have this fixed in 2019?

rocco I'm afraid I'm not able to spend much time on the plugin as my private and professional situation changed a lot.

As you can see from the plugin's wiki page, it is up for adoption again.

However, if you or someone else provides a PR for this issue, I'm more than happy to review and merge.

WBR Martin

Please check latest release. It was fixed by one contributor and as far as I can't tell - it works now.  

plugin is not distributed anymore