Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-12902

Logging out of Artifactory using Crowd SSO may not cause a logout from other SSO applications

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Resolution: Deferred
    • Affects Version/s: 4.14.1
    • Fix Version/s: None
    • Component/s: Crowd
    • Labels:
      None
    • Severity:
      High

      Description

      The applicable scenario for this issue is when working on single domain and configuring Crowd and the rest of the connected SSO applications producing a domain level SSO cookie (cookie.domain) which is configurable on the crowd.properties file.

      To reproduce:

      1. empty Crowd's "SSO domain" setting in UI, add cookie.domain=.mydomain.com in Crowd's crowd.properties in Crowd's home, restart Crowd
      2. in Jira/Confluence's WEB-INF/crowd.properties set your cookie.domain=.mydomain.com
      3. log into Artifactory (assuming it's foo.mydomain.com/artifactory) in one browser tab, log into Jira/Confluence (assuming it's at bar.mydomain.com) in another browser tab
      4. view your cookies, you should see 2 SSO cookies crowd.token_key cookies: one cookie issued under foo.mydomain.com by Artifactory and another issued under .mydomain.com from Confluence/Jira
      5. now if you log out of Artifactory in one tab, it destroys the crowd.token_key under the host foo.mydomain.com, but since the crowd.token_key cookie under the domain .mydomain.com still remains, you are still logged in Confluence/Jira. Reload the Jira/Confluence tab and you see you are still logged in even though you have logged out of your SSO session in Artifactory.

        • Two attached screenshot show the difference in cookies produces by Artifactoy and JIRA - Notable is the artifactory.cookies.png screenshot where two JSESSIONID cookies are produced by Artifactory (one is the host level and one is the correct domain level one).

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                Unassigned
                Reporter:
                andreik Andrei Komarov (Inactive)
                Votes:
                2 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Sync Status

                    Connection: RTFACT Sync
                    RTMID-12902 -
                    SYNCHRONIZED
                    • Last Sync Date: