Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73813

Scheduling build from dashboard sometimes says "Build scheduled", but it is not scheduled

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • Jenkins 2.462.2, running on Alma Linux; Firefox browser with Simple Tab Groups
    • 2.481

      When returning to the Jenkins tab on my browser, I will often click on the arrow on the right side to schedule a build.  Usually, it says "Build scheduled" and the build is actually scheduled.  Sometimes, the "Build scheduled" message appears but the build is not actually scheduled.

      It apparently happens when I return to the tab after having been away from the tab for too long.

      Digging deeper when it does not work, with Developer Tools, I can see that there was an error on response to the AJAX call.

      Error 403 No valid crumb was included in the request

      Bug 1:  The UI will indicate that the build is scheduled when it is not.  The clicking of the button should detect the return value of the request and change the message if the request failed.

      I do not know exactly what a crumb is in this framework.  I can reload the page without having to log in again, so I still have a valid session.  A "crumb" is obviously some implementation detail that is leaking to the user, when it is not otherwise known to the user.

      Bug 2: The request to start a build should rely on the session, not on some crumb concept that is not known to the user.

          [JENKINS-73813] Scheduling build from dashboard sometimes says "Build scheduled", but it is not scheduled

          Markus Winter added a comment - - edited

          A crumb is a protection mechanism against csrf attacks and required (many websites have similar protection mechanisms). See https://www.jenkins.io/doc/book/security/csrf-protection/

          Markus Winter added a comment - - edited A crumb is a protection mechanism against csrf attacks and required (many websites have similar protection mechanisms). See https://www.jenkins.io/doc/book/security/csrf-protection/

          Chris added a comment -

          Thanks, Markus, for the explanation and the link.  I had presumed that time since last visiting the dashboard tab was a major factor, but that assumption appears incorrect based on the information in the link.

          The relevant part seems to be that the crumb includes "The IP address of the user that the crumb was generated for".  I get a different IP address when I switch from wired to wireless, or when I go from in the office to at home with a VPN connection.  For my use case, the IP address is an overly strong requirement that causes inconvenience, though more experienced security experts might say it is appropriate.

          Regardless of what you decide is best for that part of the issue, a more correct and appropriate message for when this issue does occur would help.

          Chris added a comment - Thanks, Markus, for the explanation and the link.  I had presumed that time since last visiting the dashboard tab was a major factor, but that assumption appears incorrect based on the information in the link. The relevant part seems to be that the crumb includes "The IP address of the user that the crumb was generated for".  I get a different IP address when I switch from wired to wireless, or when I go from in the office to at home with a VPN connection.  For my use case, the IP address is an overly strong requirement that causes inconvenience, though more experienced security experts might say it is appropriate. Regardless of what you decide is best for that part of the issue, a more correct and appropriate message for when this issue does occur would help.

            mawinter69 Markus Winter
            maeichris Chris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: