"Stay signed in" is broken after upgrading to 8.7.5

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
hoomanv
Posts: 12
Joined: Sat Sep 13, 2014 3:26 am
ZCS/ZD Version: 8.7.10
Contact:

"Stay signed in" is broken after upgrading to 8.7.5

Postby hoomanv » Sat Mar 25, 2017 2:57 pm

Hi,

We have recently upgraded from 8.6 to 8.7.5. The upgrade process was smooth although I had to use 8.6 installer first to install proxy and memcached components before being able to upgrade to 8.7.
Ever since the "Stay signed in" functionality is broken in the web client. HTTP cookies are lost after browser restart.

COS is configured like this:
Authtoken timeout: 30 days
Session idle timeout: 1 day

Using Chrome's developer tools I found the following sequence is happening once a user signs in:

1- A POST request is sent to the server

Code: Select all

POST / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Content-Length: 84
Cache-Control: max-age=0
Origin: https://mail.mycompany.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true

loginOp=login&username=username&password=password&zrememberme=1&client=preferred


2- Server responds and sets the ZM_AUTH_TOKEN cookie with correct expiration date

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Expires=Mon, 24-Apr-2017 14:26:56 GMT;Secure;HttpOnly
Location: https://mail.mycompany.com/
Content-Length: 0


3- Another request is sent to the server

Code: Select all

GET / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true; ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX


4- Server responds, sets the JSESSIONID cookie and resets the ZM_AUTH_TOKEN cookie with the same value but without an expiration date

Code: Select all

HTTP/1.1 200 OK
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Tue, 24 Jan 2000 17:46:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Secure;HttpOnly
Set-Cookie: JSESSIONID=YYYYYYYYYYYYYYYYYYYY;Path=/;Secure;HttpOnly
X-UA-Compatible: IE=edge
Vary: Accept-Encoding, User-Agent
Content-Encoding: gzip
Transfer-Encoding: chunked


The ZM_AUTH_TOKEN expiration parameter was gone on the second response, thus the cookie will be held until the browser instance is running.
Another thing is that the JSESSIONID cookie set on the second response does not have an expiration parameter either, despite the fact that we have set the session idle timeout to 1 day in COS.
Is this a bug or am I missing a configuration?


hoomanv
Posts: 12
Joined: Sat Sep 13, 2014 3:26 am
ZCS/ZD Version: 8.7.10
Contact:

Re: "Stay signed in" is broken after upgrading to 8.7.5

Postby hoomanv » Tue Mar 28, 2017 9:33 am

Has anyone encountered the same problem with 8.7.5?
manuel
Posts: 1
Joined: Thu Mar 30, 2017 6:14 am

Re: "Stay signed in" is broken after upgrading to 8.7.5

Postby manuel » Thu Mar 30, 2017 6:25 am

We've got the same, kind of annoying problem since 8.7.0.
There are some bugreports for this issue: #106840 and #107346.
I didn't find a solution yet...
hoomanv
Posts: 12
Joined: Sat Sep 13, 2014 3:26 am
ZCS/ZD Version: 8.7.10
Contact:

Re: "Stay signed in" is broken after upgrading to 8.7.5

Postby hoomanv » Mon Apr 03, 2017 12:28 pm

manuel wrote:We've got the same, kind of annoying problem since 8.7.0.
There are some bugreports for this issue: #106840 and #107346.
I didn't find a solution yet...

Thank you manuel, I upvoted those bug reports.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 18 guests