Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-40380

AJAX callbacks generate 403s for expired sessions which can trigger an IPS

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      Hi,

      I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:

      "POST /ajaxExecutors HTTP/1.1" 403

      Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I think, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.

      Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.

      Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?

      Hope that makes sense!

      Thanks,

      Greg

        Attachments

          Issue Links

            Activity

            There are no comments yet on this issue.

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              gregharvey Greg Harvey
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: