-
Type:
Bug
-
Status: Closed
-
Resolution: Deferred
-
Affects Version/s: 4.14.1
-
Fix Version/s: None
-
Component/s: Crowd
-
Labels:None
-
Severity:High
The applicable scenario for this issue is when working on single domain and configuring Crowd and the rest of the connected SSO applications producing a domain level SSO cookie (cookie.domain) which is configurable on the crowd.properties file.
To reproduce:
1. empty Crowd's "SSO domain" setting in UI, add cookie.domain=.mydomain.com in Crowd's crowd.properties in Crowd's home, restart Crowd
2. in Jira/Confluence's WEB-INF/crowd.properties set your cookie.domain=.mydomain.com
3. log into Artifactory (assuming it's foo.mydomain.com/artifactory) in one browser tab, log into Jira/Confluence (assuming it's at bar.mydomain.com) in another browser tab
4. view your cookies, you should see 2 SSO cookies crowd.token_key cookies: one cookie issued under foo.mydomain.com by Artifactory and another issued under .mydomain.com from Confluence/Jira
5. now if you log out of Artifactory in one tab, it destroys the crowd.token_key under the host foo.mydomain.com, but since the crowd.token_key cookie under the domain .mydomain.com still remains, you are still logged in Confluence/Jira. Reload the Jira/Confluence tab and you see you are still logged in even though you have logged out of your SSO session in Artifactory.
-
- Two attached screenshot show the difference in cookies produces by Artifactoy and JIRA - Notable is the artifactory.cookies.png screenshot where two JSESSIONID cookies are produced by Artifactory (one is the host level and one is the correct domain level one).
- is related to
-
RTFACT-12900 The _System_ may be shown when signing out of Artifactory connected to Crowd SSO
- Closed
-
RTFACT-12901 After signing on to Crowd SSO with another app, a login form may be presented while already being logged in
- Closed