Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40380

AJAX callbacks generate 403s for expired sessions which can trigger an IPS

      Hi,

      I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

      "POST /ajaxExecutors HTTP/1.1" 403

      Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I think, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

      Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

      Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?

      Hope that makes sense!

      Thanks,

      Greg

          [JENKINS-40380] AJAX callbacks generate 403s for expired sessions which can trigger an IPS

          There are no comments yet on this issue.

            Unassigned Unassigned
            gregharvey Greg Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: