When you click "remember me" on login, it doesn't seem to persist after you close the browser. Our users are complaining about this given our previous site would remember you until you logged out (even between browser sessions).
Is this behavior configurable?
Jeff, the remember me login cookie has an expiration date which I believe is set to a week or so. Are you users seeing this happen every time after closing a browser and subsequently opening a new one or does it seem to happen only after a set period of time? What version of Clearspace are you on?
We're running the latest - 2.5.3
Basically, it looks like the cookies are set to end at the end of session according to Firebug.
Is there a way I can configure this to end like in +1 month or something like that?
Also, looking at the source in JiveAuthenticationTranslationFilter the code is harded for this.. does this mean i need to recompile the code to change this.? please say no.......
protected void addLoginCookie(JiveAuthentication auth, HttpServletRequest request, HttpServletResponse response) {
if (JiveGlobals.getJiveBooleanProperty(COOKIE_LOGGED_IN + ".cookie", true)) {
if (auth == null || auth.isAnonymous()) {
Cookie cookie = CookieUtils.getCookie(request, COOKIE_LOGGED_IN);
if (cookie != null) {
CookieUtils.deleteCookie(request, response, cookie);
}
}
else {
Cookie existing = CookieUtils.getCookie(request, COOKIE_LOGGED_IN);
if (existing == null || !"true".equals(existing.getValue())) {
CookieUtils.setCookie(request, response, COOKIE_LOGGED_IN, "true", -1);
}
}
}
}
This is code that sets the timespan of the cookie that indicates whether you are logged in. The RememberMeProcessingFilter is what examines the remember me cookie. I'm investigating where this gets set and what the timespan is. This is the cookie that you are interested in, correct?
Thanks.
I'm not sure if this is the right cookie or not ... but it definitely expires upon session exit (that's what the HTTP headers indicate too).
Jeff,
Can you check your cookies for the expiration date of ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE? This should be two weeks from the time it was last set. When set (by selecting remember me at the login prompt), this should keep you logged in for up to two weeks. If this is not set, we'll need to check the security filters that are being applied for the URLs you are accessing to ensure that the RememberMeProcessingFilter is a part of the chain.
Thanks,
Austen
The only 3 cookies that are being sent are:
- JSESSIONID
- jive.server.info
- jive.recentHistory
We do have our own authentication filter that hits a different DB for login credentials. Are we suppose to set this cookie or call something else to make this work?
A couple of questions for you:
If you have simply modified the filter chain, you'll probably just need to add back in the rememberMeProcessingFilter. If you have SSO integration, it would be the responsibility of the SSO solution to set a cookie that Clearspace can consume (via custom code).
We're using the out-of-the-box clearspace installation. Looking the the web.xml in the WAR, there is no remember anything in the file. (see attached copy of web.xml we're running)
We are using the default jive login form. We have simply written a plugin that will talk with our DB to validate credentials and pass back to Jive the info.
The "Remeber Me" is in the default Jive login interface.
Is there something else we need to do to configure this?
Jeff,
Does your plugin have a spring.xml? If so, can you please post that as an attachment to the case? The security related changes would be contained in this file, not the web.xml.
here's our plugin.
Thanks, this is helpful. A couple more things:
I can confirm that the form is how you described it. I've also attached a copy of our AuthFilter. There are some odd bits in there, mostly because we want to authenticate users by their emails and not their usernames. Let me know if you have any questions.
You should have a copy of the Auth filter now. Also, I can confirm that there is an autoLogin field on the login form and the submit action is "cs_login".
-Kevin
Jeff, any update?
Hi Austen,
I am going to be trying to run this down for us - see my update to your last question. Are there other things I can be looking at that will be of assistance?
Also, as Jeff noted, we don't have any servlet filters defined for "rememberMeFilter" or anything along those lines.
Kevin,
The ACEGI security filters are a bit different in that they are defined in the spring.xml file, not the web.xml. As for the issue you are running across, we have apparently had several reports of the problem and it appears to be due to a recent change in the way Tomcat handles cookies when certain values are placed in the cookie. We have a defect filed for this (CS-9849) and the fix is currently scheduled for the 2.5.5 release.
Thank you all for your help on this issue!
Thanks for the update - is there are workaround available for the issue?
this is a real big problem for us and our users are constantly complaining about this -- especially our power users who stay on the forums all day.
we need a quick workaround -- do we need to downgrade tomcat or something? can we patch the source ourselves?
The bug report states that this started happening in Tomcat 6.0.18. If you downgrade to a version prior to that, you should see the remember me functionality start to function again.
Is a previous version of Tomcat 6 known to work, or are we talking a downgrade to 5.5?
Also, for the record, we're running Tomcat 6.0.14 - so the issue has likely been around a bit longer...
-Kevin
Kevin,
The comment from the assigned developer is that the change took place in the 6.0.18 release of Tomcat, but he could be mistaken. Can you please confirm that your users are not logging out ant the end of their session? If you log out, the remember me cookie will be cleared. Also, would it be possible to use Fire Cookie to get a dump of all