Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40380

AJAX callbacks generate 403s for expired sessions which can trigger an IPS



      I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

      "POST /ajaxExecutors HTTP/1.1" 403

      Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I think, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

      Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

      Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?

      Hope that makes sense!



            Unassigned Unassigned
            gregharvey Greg Harvey
            0 Vote for this issue
            1 Start watching this issue