Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16278

"Remember me on this computer" does not work, cookie is not accepted in new session

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Component/s: core
    • Environment:
      Jenkins 1.498 on Debian Squeeze with Java 1.6.0_26
    • Similar Issues:

      Description

      As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

      We are using Jenkin's built-in user authentication

        Attachments

          Issue Links

            Activity

            Hide
            xiaopan3322 Bao Xiaopan(Bob) added a comment -

            Same Problem occurred in my side...
            What's the latest status for this topic?!

            Show
            xiaopan3322 Bao Xiaopan(Bob) added a comment - Same Problem occurred in my side... What's the latest status for this topic?!
            Hide
            tle Timo Leinonen added a comment -

            We are experiencing the same issue, but on the LTS version 1.480.2

            Show
            tle Timo Leinonen added a comment - We are experiencing the same issue, but on the LTS version 1.480.2
            Hide
            lime Hendrik Millner added a comment -

            commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java:
            String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey());

            This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used:
            String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);

            I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature.

            Any comments?

            Show
            lime Hendrik Millner added a comment - commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java: String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey()); This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used: String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key); I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature. Any comments?
            Show
            jglick Jesse Glick added a comment - https://github.com/jenkinsci/jenkins/pull/673
            Hide
            marscher Martin Scherer added a comment -

            would love to see this pull request in the LTS version, as this affected too.

            Show
            marscher Martin Scherer added a comment - would love to see this pull request in the LTS version, as this affected too.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Hendrik Millner
            Path:
            core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
            http://jenkins-ci.org/commit/jenkins/91bbae3c35230734fd2cf6926a7ac1239119fc6e
            Log:
            [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)

            New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
            Fixed by new override TokenBasedRememberMeServices2.loginSuccess

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Hendrik Millner Path: core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java http://jenkins-ci.org/commit/jenkins/91bbae3c35230734fd2cf6926a7ac1239119fc6e Log: [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification. Fixed by new override TokenBasedRememberMeServices2.loginSuccess
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Olivier Lamy
            Path:
            core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
            http://jenkins-ci.org/commit/jenkins/4325e006d84113f8e100ec59d03f94f98a6ef3a5
            Log:
            Merge pull request #673 from denebolar/JENKINS-16278

            [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)
            Thanks

            Compare: https://github.com/jenkinsci/jenkins/compare/de9002b3985c...4325e006d841

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Olivier Lamy Path: core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java http://jenkins-ci.org/commit/jenkins/4325e006d84113f8e100ec59d03f94f98a6ef3a5 Log: Merge pull request #673 from denebolar/ JENKINS-16278 [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) Thanks Compare: https://github.com/jenkinsci/jenkins/compare/de9002b3985c...4325e006d841
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Olivier Lamy
            Path:
            changelog.html
            http://jenkins-ci.org/commit/jenkins/0b5a4a3550dcff91b1bedeb77415f683b659634b
            Log:
            changelog entry for JENKINS-16278

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Olivier Lamy Path: changelog.html http://jenkins-ci.org/commit/jenkins/0b5a4a3550dcff91b1bedeb77415f683b659634b Log: changelog entry for JENKINS-16278
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #2213
            [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) (Revision 91bbae3c35230734fd2cf6926a7ac1239119fc6e)
            changelog entry for JENKINS-16278 (Revision 0b5a4a3550dcff91b1bedeb77415f683b659634b)

            Result = SUCCESS
            hendrik.millner : 91bbae3c35230734fd2cf6926a7ac1239119fc6e
            Files :

            • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java

            Olivier Lamy : 0b5a4a3550dcff91b1bedeb77415f683b659634b
            Files :

            • changelog.html
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #2213 [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) (Revision 91bbae3c35230734fd2cf6926a7ac1239119fc6e) changelog entry for JENKINS-16278 (Revision 0b5a4a3550dcff91b1bedeb77415f683b659634b) Result = SUCCESS hendrik.millner : 91bbae3c35230734fd2cf6926a7ac1239119fc6e Files : core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java Olivier Lamy : 0b5a4a3550dcff91b1bedeb77415f683b659634b Files : changelog.html
            Hide
            pickgr1 pickgr added a comment -

            Please create a new LTS version including this fix.

            Show
            pickgr1 pickgr added a comment - Please create a new LTS version including this fix.
            Hide
            jglick Jesse Glick added a comment -

            @pickgr1 it is already on the 1.480.3 backport candidate list.

            Show
            jglick Jesse Glick added a comment - @pickgr1 it is already on the 1.480.3 backport candidate list.
            Hide
            jglick Jesse Glick added a comment -

            Not sure why this did not already get marked fixed automatically.

            Show
            jglick Jesse Glick added a comment - Not sure why this did not already get marked fixed automatically.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Hendrik Millner
            Path:
            core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
            http://jenkins-ci.org/commit/jenkins/83c95d51bae57fc328e5b1fb080875234a1b0429
            Log:
            [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)

            New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
            Fixed by new override TokenBasedRememberMeServices2.loginSuccess
            (cherry picked from commit 91bbae3c35230734fd2cf6926a7ac1239119fc6e)

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Hendrik Millner Path: core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java http://jenkins-ci.org/commit/jenkins/83c95d51bae57fc328e5b1fb080875234a1b0429 Log: [FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification. Fixed by new override TokenBasedRememberMeServices2.loginSuccess (cherry picked from commit 91bbae3c35230734fd2cf6926a7ac1239119fc6e)
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Olivier Lamy
            Path:
            changelog.html
            http://jenkins-ci.org/commit/jenkins/fa6a84c54506fc25531a039f931870880f6fa182
            Log:
            changelog entry for JENKINS-16278(cherry picked from commit 0b5a4a3550dcff91b1bedeb77415f683b659634b)

            Conflicts:
            changelog.html

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Olivier Lamy Path: changelog.html http://jenkins-ci.org/commit/jenkins/fa6a84c54506fc25531a039f931870880f6fa182 Log: changelog entry for JENKINS-16278 (cherry picked from commit 0b5a4a3550dcff91b1bedeb77415f683b659634b) Conflicts: changelog.html
            Hide
            tomhe Tomas Hellberg added a comment -

            For which release will this fix be available? I'm at 1.500 and still have to keep logging in over and over.

            Show
            tomhe Tomas Hellberg added a comment - For which release will this fix be available? I'm at 1.500 and still have to keep logging in over and over.
            Hide
            lime Hendrik Millner added a comment -

            It is queued for 1.501

            Show
            lime Hendrik Millner added a comment - It is queued for 1.501
            Hide
            aartemov Alexander Artemov added a comment -

            I still have the same issue in Jenkins 1.502 - every half an hour - hour I am logged off and have to login again.

            Show
            aartemov Alexander Artemov added a comment - I still have the same issue in Jenkins 1.502 - every half an hour - hour I am logged off and have to login again.
            Hide
            lime Hendrik Millner added a comment -

            Personally, I do not experience this problem in 1.502. What does your RememberMe cookie look like (contents of ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE)? Please have a look at the expiration date, as well.

            Show
            lime Hendrik Millner added a comment - Personally, I do not experience this problem in 1.502. What does your RememberMe cookie look like (contents of ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE)? Please have a look at the expiration date, as well.
            Hide
            aartemov Alexander Artemov added a comment -

            It looks like:
            YWFydGVtb3Y6MTM2MTQyNzY0NDA0OTpjZjdlYjZmNTI2NjA2ZDg1Mzc5NWEwMDkyMGUzODhmMw==

            It's expiration date it 6.5 hours earlier than the present time.

            Show
            aartemov Alexander Artemov added a comment - It looks like: YWFydGVtb3Y6MTM2MTQyNzY0NDA0OTpjZjdlYjZmNTI2NjA2ZDg1Mzc5NWEwMDkyMGUzODhmMw== It's expiration date it 6.5 hours earlier than the present time.
            Hide
            lime Hendrik Millner added a comment -

            Whoops.. Well, the token is looking fine, but the expiration date is not. The system clock of your Jenkins is not coincidentally running behind by two weeks and 6.5 hours, relative to your system time?

            Show
            lime Hendrik Millner added a comment - Whoops.. Well, the token is looking fine, but the expiration date is not. The system clock of your Jenkins is not coincidentally running behind by two weeks and 6.5 hours, relative to your system time?
            Hide
            aartemov Alexander Artemov added a comment -

            No, jenkins runs at the same time as my machine. Jenkins runs on the server which time is the same as on my machine. It's Feb 20, 2013 5:49:00 PM now in Jenkins.

            Show
            aartemov Alexander Artemov added a comment - No, jenkins runs at the same time as my machine. Jenkins runs on the server which time is the same as on my machine. It's Feb 20, 2013 5:49:00 PM now in Jenkins.
            Hide
            lime Hendrik Millner added a comment -

            You should create a new log recorder to have a closer look at the debugging messages concerning the RememberMe cookie. You can do this at Manage Jenkins > Logs.
            Add a new log recorder with any name you like and then add a logger "org.acegisecurity.ui.rememberme" in its configuration, setting the severity in the drop-down list to "FINE".

            This log recorder should then present you lots of messages around the RememberMe token. Upon a new login with "remember me" set, you should get a log line like this one:
            "Feb 20, 2013 4:24:31 PM hudson.security.TokenBasedRememberMeServices2 loginSuccess
            FINE: Added remember-me cookie for user 'millner', expiry: 'Wed Mar 06 16:24:31 CET 2013'"

            What expiration date is shown there at your Jenkins?

            Show
            lime Hendrik Millner added a comment - You should create a new log recorder to have a closer look at the debugging messages concerning the RememberMe cookie. You can do this at Manage Jenkins > Logs. Add a new log recorder with any name you like and then add a logger "org.acegisecurity.ui.rememberme" in its configuration, setting the severity in the drop-down list to "FINE". This log recorder should then present you lots of messages around the RememberMe token. Upon a new login with "remember me" set, you should get a log line like this one: "Feb 20, 2013 4:24:31 PM hudson.security.TokenBasedRememberMeServices2 loginSuccess FINE: Added remember-me cookie for user 'millner', expiry: 'Wed Mar 06 16:24:31 CET 2013'" What expiration date is shown there at your Jenkins?
            Hide
            aartemov Alexander Artemov added a comment - - edited

            Created and the date is ok - Feb 21, 2013 10:54:37 (this is our local time - Russia, Saint-Petersburg)

            Show
            aartemov Alexander Artemov added a comment - - edited Created and the date is ok - Feb 21, 2013 10:54:37 (this is our local time - Russia, Saint-Petersburg)
            Hide
            lime Hendrik Millner added a comment -

            But this date should point to two weeks in the future... Seems to be a problem with long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000);, for some reason your tokenValiditySeconds seems to be zero (or less).

            This field is also used as maxCookieAge and is actually never ever touched in Jenkins. It is initialized with protected long tokenValiditySeconds = 1209600; // 14 days and thus should not be zero...
            Anyone else has an idea on this? I cannot tell anything more without extra debugging information, but since I cannot reproduce the error on my system we would need to do this on your system.

            Show
            lime Hendrik Millner added a comment - But this date should point to two weeks in the future... Seems to be a problem with long expiryTime = System.currentTimeMillis() + (tokenValiditySeconds * 1000); , for some reason your tokenValiditySeconds seems to be zero (or less). This field is also used as maxCookieAge and is actually never ever touched in Jenkins. It is initialized with protected long tokenValiditySeconds = 1209600; // 14 days and thus should not be zero... Anyone else has an idea on this? I cannot tell anything more without extra debugging information, but since I cannot reproduce the error on my system we would need to do this on your system.
            Hide
            aartemov Alexander Artemov added a comment -

            Now I have correct date 2 weeks in the future, but anyway I have to login 10 times a day because I often become logged out.

            Show
            aartemov Alexander Artemov added a comment - Now I have correct date 2 weeks in the future, but anyway I have to login 10 times a day because I often become logged out.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            The last comment from Alexander Artemov seems to indicate the problem is resolved, so I'm marking it closed until we hear otherwise.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - The last comment from Alexander Artemov seems to indicate the problem is resolved, so I'm marking it closed until we hear otherwise.
            Hide
            m_broida m_broida added a comment - - edited

            His last comment (30/Jul/13) says he still has to login 10 times a day.
            That doesn't sound "resolved" to me.

            I'm using Jenkins 1.542, and several times a day Jenkins forgets that I'm logged in.
            Browser (Chrome) stays open, but refreshed page is suddenly logged out.

            We do not use ActiveDirectory, so this is not related to JENKINS-9258.
            We use a local script for authentication.

            Oh, &_)% While typing this entry, Jenkins logged me out AGAIN. Why?

            Show
            m_broida m_broida added a comment - - edited His last comment (30/Jul/13) says he still has to login 10 times a day. That doesn't sound "resolved" to me. I'm using Jenkins 1.542, and several times a day Jenkins forgets that I'm logged in. Browser (Chrome) stays open, but refreshed page is suddenly logged out. We do not use ActiveDirectory, so this is not related to JENKINS-9258 . We use a local script for authentication. Oh, & _) % While typing this entry, Jenkins logged me out AGAIN. Why?
            Hide
            lime Hendrik Millner added a comment -

            It would be great to have some insight into your org.acegisecurity.ui.rememberme log (as described above, 20/Feb/13 3:33 PM), your ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE metadata (time of expiration, ...), the exact Jenkins server time when the cookie is issued (when you perform the login with checked 'remember me'), and finally your system time when you perform the login.

            Show
            lime Hendrik Millner added a comment - It would be great to have some insight into your org.acegisecurity.ui.rememberme log (as described above, 20/Feb/13 3:33 PM), your ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE metadata (time of expiration, ...), the exact Jenkins server time when the cookie is issued (when you perform the login with checked 'remember me'), and finally your system time when you perform the login.
            Hide
            m_broida m_broida added a comment -

            I apologize for not reading the earlier posts in more detail.
            I added the LogRecorder and the logger as described above.
            When I logout and back in, this (among other detail) shows in the log:

            Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices loginSuccess
            Added remember-me cookie for user 'michael.broida', expiry: 'Mon Mar 31 15:49:09 GMT 2014'

            So its set to expire in two weeks: Mar 31 - Mar 17 = 14 days.
            My system time was about 10:49AM (US CDT) and the Jenkins Master node time was: 3:49:09PM (UTC). So those line up correctly: US CDT = UTC-5.
            I see log entries like this one [cleansed], apparently every time I click a Jenkins link:

            Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.RememberMeProcessingFilter doFilter
            SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@f05122ff: Username: org.acegisecurity.userdetails.User@0: Username: michael.broida; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: authenticated, USER, admin; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: [nn.nn.nn.nn]; SessionId: 178z3b1pbslvm1hyjg8qchd6wo; Granted Authorities: authenticated, USER, admin'

            Chrome shows an ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie with same Mar 31 expiration as above.

            We'll see if Jenkins logs me out in the next couple of hours....

            Show
            m_broida m_broida added a comment - I apologize for not reading the earlier posts in more detail. I added the LogRecorder and the logger as described above. When I logout and back in, this (among other detail) shows in the log: Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices loginSuccess Added remember-me cookie for user 'michael.broida', expiry: 'Mon Mar 31 15:49:09 GMT 2014' So its set to expire in two weeks: Mar 31 - Mar 17 = 14 days. My system time was about 10:49AM (US CDT) and the Jenkins Master node time was: 3:49:09PM (UTC). So those line up correctly: US CDT = UTC-5. I see log entries like this one [cleansed] , apparently every time I click a Jenkins link: Mar 17, 2014 3:49:09 PM FINE org.acegisecurity.ui.rememberme.RememberMeProcessingFilter doFilter SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@f05122ff: Username: org.acegisecurity.userdetails.User@0: Username: michael.broida; Password: [PROTECTED] ; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: authenticated, USER, admin; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@957e: RemoteIpAddress: [nn.nn.nn.nn] ; SessionId: 178z3b1pbslvm1hyjg8qchd6wo; Granted Authorities: authenticated, USER, admin' Chrome shows an ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE cookie with same Mar 31 expiration as above. We'll see if Jenkins logs me out in the next couple of hours....
            Hide
            m_broida m_broida added a comment - - edited

            I had to close the browser/reboot, so expected the cookie to be deleted. It was, so I was logged out.
            Logged into Jenkins again: new cookie good for 14 days from today.
            We'll see how it goes this time...

            LATER: No problem the rest of that day.
            I'll repost the next time Jenkins logs me out WITHOUT closing the browser.

            Show
            m_broida m_broida added a comment - - edited I had to close the browser/reboot, so expected the cookie to be deleted. It was, so I was logged out. Logged into Jenkins again: new cookie good for 14 days from today. We'll see how it goes this time... LATER: No problem the rest of that day. I'll repost the next time Jenkins logs me out WITHOUT closing the browser.
            Hide
            m_broida m_broida added a comment -

            First login this morning, I did NOT get the ACEGI... cookie. :/
            So I shutdown the browser (set to delete all cookies), and restarted.
            This time the cookie shows up.

            The org.acegisecurity.ui.rememberme log does not go back far enough to show that first login. It does show the second ("Added rmember-me cookie...." same as above.).

            So, I can't tell WHY that first login did not result in a cookie. :/

            Show
            m_broida m_broida added a comment - First login this morning, I did NOT get the ACEGI... cookie. :/ So I shutdown the browser (set to delete all cookies), and restarted. This time the cookie shows up. The org.acegisecurity.ui.rememberme log does not go back far enough to show that first login. It does show the second ("Added rmember-me cookie...." same as above.). So, I can't tell WHY that first login did not result in a cookie. :/
            Hide
            m_broida m_broida added a comment -

            OK, same thing today: first login did not save the ACEGI... cookie.
            Logged out and back in, and got that cookie. AND it has not logged me out all day.
            So, sounds like "cookie is not accepted" is actually the cause of logouts for me.

            Now, how do I figure out WHY the cookie is not being accepted? (or not being sent)
            Jenkins 1.542 on Windows, using local login authentication (no AD).

            Show
            m_broida m_broida added a comment - OK, same thing today: first login did not save the ACEGI... cookie. Logged out and back in, and got that cookie. AND it has not logged me out all day. So, sounds like "cookie is not accepted" is actually the cause of logouts for me. Now, how do I figure out WHY the cookie is not being accepted? (or not being sent) Jenkins 1.542 on Windows, using local login authentication (no AD).
            Hide
            rupunzlkim Kim Abbott added a comment -

            So we still have this issue - we have 3 versions of Jenkins installed on 3 different Linux servers, and any time we log into one UI, it logs us out of the other UIs, so we're constantly having to log back in, over and over.  Some other details

            Jenkins 1.  1.608

            Jenkins 2. 2.7.4, running under Apache Tomcat/7.0.53

            Jenkins 3. 2.73, running under Apache Tomcat/9.0.0.M27

             

            I cannot see any instance of cookies created in my Chrome.  I only see JSESSIONID under each 

            Show
            rupunzlkim Kim Abbott added a comment - So we still have this issue - we have 3 versions of Jenkins installed on 3 different Linux servers, and any time we log into one UI, it logs us out of the other UIs, so we're constantly having to log back in, over and over.  Some other details Jenkins 1.  1.608 Jenkins 2. 2.7.4, running under Apache Tomcat/7.0.53 Jenkins 3. 2.73, running under Apache Tomcat/9.0.0.M27   I cannot see any instance of cookies created in my Chrome.  I only see JSESSIONID under each 
            Hide
            lime Hendrik Millner added a comment -

            Hi Kim,

            May I also ask you to set up a logger according to comment https://issues.jenkins-ci.org/browse/JENKINS-16278?focusedCommentId=174193&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-174193 please? It would be great to be sure whether a correct remember me cookie is created, or not.

            Show
            lime Hendrik Millner added a comment - Hi Kim, May I also ask you to set up a logger according to comment https://issues.jenkins-ci.org/browse/JENKINS-16278?focusedCommentId=174193&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-174193 please? It would be great to be sure whether a correct remember me cookie is created, or not.
            Hide
            rupunzlkim Kim Abbott added a comment - - edited

            Thank you Hendrik, I did set up a logger, here is what appears repeatedly from Jenkins 3.

            SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken@edd9cf3c: Username: hudson.security.HudsonPrivateSecurityRealm$Details@7e08bf1b; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: <my PC IP>; SessionId: null; Granted Authorities: authenticated'

            And this is the exact same message I get from Jenkins 2.

            The entry from Jenkins 1 though is a bit different - note there is a SessionID value:

            SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@9a1e6431: Username: hudson.security.HudsonPrivateSecurityRealm$Details@305806; Password: [PROTECTED]; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff8868: RemoteIpAddress: <my PC IP>; SessionId: 1sc6t6z8jn1cr2fvqou5qovze; Granted Authorities: authenticated'

             

            Show
            rupunzlkim Kim Abbott added a comment - - edited Thank you Hendrik, I did set up a logger, here is what appears repeatedly from Jenkins 3. SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.rememberme.RememberMeAuthenticationToken@edd9cf3c: Username: hudson.security.HudsonPrivateSecurityRealm$Details@7e08bf1b; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@3bcc: RemoteIpAddress: <my PC IP>; SessionId: null; Granted Authorities: authenticated' And this is the exact same message I get from Jenkins 2. The entry from Jenkins 1 though is a bit different - note there is a SessionID value: SecurityContextHolder not populated with remember-me token, as it already contained: 'org.acegisecurity.providers.UsernamePasswordAuthenticationToken@9a1e6431: Username: hudson.security.HudsonPrivateSecurityRealm$Details@305806; Password: [PROTECTED] ; Authenticated: true; Details: org.acegisecurity.ui.WebAuthenticationDetails@ffff8868: RemoteIpAddress: <my PC IP>; SessionId: 1sc6t6z8jn1cr2fvqou5qovze; Granted Authorities: authenticated'  
            Hide
            lime Hendrik Millner added a comment -

            This shows that your authentication is retained by the session ID cookie, at least if it is not null. Does this message look different after you were kicked out from the system? Please check the log on the Jenkins instance, you were kicked out of. Actually, you should be re-authenticated by your session ID cookie, at least as long as you do not close your browser, or any add-on deletes the cookie. Do you have simultaneous session ID cookies for all of your Jenkins instances in your browser, after you logged in into all instances? Or only one cookie for the last instance, you logged into? The session ID cookies expire only when you close your browser.

            Anyways, the different Jenkins instances should not be able to influence each other in you browser, especially if they are hosted on different servers. Do you route the Jenkins UIs through one and the same web server, so that the cookies from the different instances may collide (e.g. http://myserver/jenkins1/ and http://myserver/jenkins2/) ?

            Show
            lime Hendrik Millner added a comment - This shows that your authentication is retained by the session ID cookie, at least if it is not null. Does this message look different after you were kicked out from the system? Please check the log on the Jenkins instance, you were kicked out of. Actually, you should be re-authenticated by your session ID cookie, at least as long as you do not close your browser, or any add-on deletes the cookie. Do you have simultaneous session ID cookies for all of your Jenkins instances in your browser, after you logged in into all instances? Or only one cookie for the last instance, you logged into? The session ID cookies expire only when you close your browser. Anyways, the different Jenkins instances should not be able to influence each other in you browser, especially if they are hosted on different servers. Do you route the Jenkins UIs through one and the same web server, so that the cookies from the different instances may collide (e.g. http://myserver/jenkins1/ and  http://myserver/jenkins2/) ?
            Hide
            rupunzlkim Kim Abbott added a comment -

            So, I am now noticing that it appears that I'm only running into an issue when I attempt to stay logged into the older Jenkins 1 alongside one of the newer Jenkins 2/3.  Lately appears that if I'm only trying to stay logged into either Jenkins 2/3 I stay logged in, but I can't maintain a login with Jenkins 1 and Jenkins 2/3.

            Show
            rupunzlkim Kim Abbott added a comment - So, I am now noticing that it appears that I'm only running into an issue when I attempt to stay logged into the older Jenkins 1 alongside one of the newer Jenkins 2/3.  Lately appears that if I'm only trying to stay logged into either Jenkins 2/3 I stay logged in, but I can't maintain a login with Jenkins 1 and Jenkins 2/3.
            Hide
            lime Hendrik Millner added a comment -

            I am sorry, I cannot help you without further and deeper insight into your system (browser/ server). It seems you have a problem with the Jenkins cookies in general, not with the remember me token in particular.

            Show
            lime Hendrik Millner added a comment - I am sorry, I cannot help you without further and deeper insight into your system (browser/ server). It seems you have a problem with the Jenkins cookies in general, not with the remember me token in particular.

              People

              Assignee:
              lime Hendrik Millner
              Reporter:
              lime Hendrik Millner
              Votes:
              29 Vote for this issue
              Watchers:
              35 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: