Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59193

Session-ID missing alongside CSRF tokens


    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • swarm-plugin
    • None
    • Jenkins LTS 2.176.3

      Jenkins LTS 2.176.3 incorporated commit ace596, which factors the Session ID into the computation of CSRF crumbs; since a new Session ID is generated if none is provided, previously issued crumbs are rendered useless in the absence of a reusable Session ID. This currently prevents Swarm clients from connecting to Jenkins masters secured with the DefaultCrumbIssuer, since the generated crumb is immediately rendered useless.

      I think a fix would involve the Swarm plugin using a persistent session ID on the client-side. I labeled this issue as "minor", because an easy workaround exists (setting hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true on the Jenkins master). It should be noted, however, that this reduces the efficacy of the fixes to SECURITY-626 and SECURITY-1491.

            basil Basil Crow
            katzdm Daniel Katz
            0 Vote for this issue
            4 Start watching this issue