[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
41 messages Options
123
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
Issue Type: Bug Bug
Affects Versions: current
Assignee: Unassigned
Components: security
Created: 08/Jan/13 12:15 PM
Description:

As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

Environment: Jenkins 1.498 on Debian Squeeze with Java 1.6.0_26
Project: Jenkins
Priority: Major Major
Reporter: Hendrik Millner
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
Change By: Hendrik Millner (08/Jan/13 12:29 PM)
Description: As of Jenkins version 1.498 the "Remember me" login cookie is not accepted resulting in a necessary login each time a new Jenkins session is started (loss of session cookie). The versions 1.496 and 1.497 did not show this issue.

We are using Jenkin's built-in user authentication
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Same Problem occurred in my side...
What's the latest status for this topic?!

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

We are experiencing the same issue, but on the LTS version 1.480.2

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Hendrik Millner started work on Bug JENKINS-16278
Change By: Hendrik Millner (15/Jan/13 3:40 PM)
Status: Open In Progress
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java:
String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey());

This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used:
String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);

I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature.

Any comments?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Change By: Hendrik Millner (15/Jan/13 8:21 PM)
Assignee: Hendrik Millner
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Jesse Glick commented on Bug JENKINS-16278
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

would love to see this pull request in the LTS version, as this affected too.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Olivier Lamy
Path:
core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
http://jenkins-ci.org/commit/jenkins/4325e006d84113f8e100ec59d03f94f98a6ef3a5
Log:
Merge pull request #673 from denebolar/JENKINS-16278

[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)
Thanks

Compare: https://github.com/jenkinsci/jenkins/compare/de9002b3985c...4325e006d841

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Hendrik Millner
Path:
core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
http://jenkins-ci.org/commit/jenkins/91bbae3c35230734fd2cf6926a7ac1239119fc6e
Log:
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)

New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
Fixed by new override TokenBasedRememberMeServices2.loginSuccess

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Olivier Lamy
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/0b5a4a3550dcff91b1bedeb77415f683b659634b
Log:
changelog entry for JENKINS-16278

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
dogfood commented on Bug JENKINS-16278

Integrated in jenkins_main_trunk #2213
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49) (Revision 91bbae3c35230734fd2cf6926a7ac1239119fc6e)
changelog entry for JENKINS-16278 (Revision 0b5a4a3550dcff91b1bedeb77415f683b659634b)

Result = SUCCESS
hendrik.millner : 91bbae3c35230734fd2cf6926a7ac1239119fc6e
Files :

  • core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java

Olivier Lamy : 0b5a4a3550dcff91b1bedeb77415f683b659634b
Files :

  • changelog.html
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
pickgr1 commented on Bug JENKINS-16278

Please create a new LTS version including this fix.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Jesse Glick commented on Bug JENKINS-16278

@pickgr1 it is already on the 1.480.3 backport candidate list.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org
Jesse Glick resolved Bug JENKINS-16278 as Fixed

Not sure why this did not already get marked fixed automatically.

Change By: Jesse Glick (24/Jan/13 7:22 PM)
Status: In Progress Resolved
Resolution: Fixed
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Hendrik Millner
Path:
core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java
http://jenkins-ci.org/commit/jenkins/83c95d51bae57fc328e5b1fb080875234a1b0429
Log:
[FIXED JENKINS-16278] Fixed RememberMe cookie signature generation (bugfix on SECURITY-49)

New cookie signature generation was not implemented in creation of RememberMe cookie, but only in its verification.
Fixed by new override TokenBasedRememberMeServices2.loginSuccess
(cherry picked from commit 91bbae3c35230734fd2cf6926a7ac1239119fc6e)

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Olivier Lamy
Path:
changelog.html
http://jenkins-ci.org/commit/jenkins/fa6a84c54506fc25531a039f931870880f6fa182
Log:
changelog entry for JENKINS-16278(cherry picked from commit 0b5a4a3550dcff91b1bedeb77415f683b659634b)

Conflicts:
changelog.html

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

For which release will this fix be available? I'm at 1.500 and still have to keep logging in over and over.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.
 
 
Reply | Threaded
Open this post in threaded view
|

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

JIRA noreply@jenkins-ci.org
In reply to this post by JIRA noreply@jenkins-ci.org

It is queued for 1.501

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
For more options, visit https://groups.google.com/groups/opt_out.
 
 
123