Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59193

Session-ID missing alongside CSRF tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not A Defect
    • Icon: Major Major
    • swarm-plugin
    • None
    • Jenkins LTS 2.176.3

      Jenkins LTS 2.176.3 incorporated commit ace596, which factors the Session ID into the computation of CSRF crumbs; since a new Session ID is generated if none is provided, previously issued crumbs are rendered useless in the absence of a reusable Session ID. This currently prevents Swarm clients from connecting to Jenkins masters secured with the DefaultCrumbIssuer, since the generated crumb is immediately rendered useless.

      I think a fix would involve the Swarm plugin using a persistent session ID on the client-side. I labeled this issue as "minor", because an easy workaround exists (setting hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true on the Jenkins master). It should be noted, however, that this reduces the efficacy of the fixes to SECURITY-626 and SECURITY-1491.

          [JENKINS-59193] Session-ID missing alongside CSRF tokens

          Daniel Katz created issue -
          Basil Crow made changes -
          Link New: This issue is duplicated by JENKINS-59305 [ JENKINS-59305 ]
          Basil Crow made changes -
          Assignee New: Basil Crow [ basil ]
          Basil Crow made changes -
          Priority Original: Minor [ 4 ] New: Major [ 3 ]
          Basil Crow made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Daniel Katz made changes -
          Resolution New: Not A Defect [ 7 ]
          Status Original: In Progress [ 3 ] New: Closed [ 6 ]

            basil Basil Crow
            katzdm Daniel Katz
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: