-
Bug
-
Resolution: Duplicate
-
Minor
-
Jenkins 2.35
Dashboard View 2.9.2
Hi,
I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server:
"POST /ajaxExecutors HTTP/1.1" 403
Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I think, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me.
Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered.
Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts?
Hope that makes sense!
Thanks,
Greg
- duplicates
-
-
- Resolved
-
[JENKINS-40380] AJAX callbacks generate 403s for expired sessions which can trigger an IPS
Greg Harvey
created issue -
Greg Harvey
made changes -
| Epic Link | New: JENKINS-31156 [ 165812 ] |
Greg Harvey
made changes -
| Description |
Original:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403 }} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Hope that makes sense! Thanks, Greg |
New:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403}} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Hope that makes sense! Thanks, Greg |
Greg Harvey
made changes -
| Description |
Original:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403}} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger an IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Hope that makes sense! Thanks, Greg |
New:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403}} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Hope that makes sense! Thanks, Greg |
Greg Harvey
made changes -
| Component/s | Original: dashboard-view-plugin [ 15679 ] | |
| Assignee | Original: Evan Van Dyke [ vandyev ] | |
| Description |
Original:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403}} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX (I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that). The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Hope that makes sense! Thanks, Greg |
New:
Hi, I kept getting locked out of company systems and we eventually tracked it down to our intrusion protection system, OSSEC, blocking me due to these calls on a Jenkins server: {{"POST /ajaxExecutors HTTP/1.1" 403}} Turns out if you leave a Jenkins tab open in a browser and the session times out, Jenkins goes right on polling for build information with AJAX -(I've tagged core and the Dashboard View Plugin, because this happens on dashboard pages I _think_, but I'm not 100% on that)-. The consequence of this is a continuous string of 403 response codes which, after a little while, will trigger any IPS worth its salts to block the IP address - which is exactly what happens to me. Why Jenkins bug? Because most applications I've come across handle this by redirecting folk to the login page if they get a 403 from an AJAX call, not keeping on hammering on those 403s. If Jenkins did that, there'd be one 403, a redirect to login and there the browser tab would sit, showing a login screen. And an IPS would not be triggered. Edit: removed the dashboard tag, realised it's definitely the Build Executor div causing this. Also, it's been noted to me this is a regression as the Build Executor box didn't used to do this. Perhaps the response code has changed or the way Jenkins handles session timeouts? Hope that makes sense! Thanks, Greg |
| Epic Link | Original: JENKINS-31156 [ 165812 ] |
| Link |
New:
This issue duplicates |
| Resolution | New: Duplicate [ 3 ] | |
| Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |