Up to Discussions in Clearspace
37 Replies Last post: Dec 18, 2008 5:25 AM by Austen Rustrum  
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated

Nov 11, 2008 11:33 PM

Users not being remembered

When you click "remember me" on login, it doesn't seem to persist after you close the browser.  Our users are complaining about this given our previous site would remember you until you logged out (even between browser sessions).

 

Is this behavior configurable?

Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 12, 2008 2:39 PM in response to: Jeff Haynie
Re: Users not being remembered

Jeff, the remember me login cookie has an expiration date which I believe is set to a week or so.  Are you users seeing this happen every time after closing a browser and subsequently opening a new one or does it seem to happen only after a set period of time?  What version of Clearspace are you on? 

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 13, 2008 3:06 PM in response to: Austen Rustrum
Re: Users not being remembered

We're running the latest - 2.5.3

 

Basically, it looks like the cookies are set to end at the end of session according to Firebug.

 

Is there a way I can configure this to end like in +1 month or something like that?

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 13, 2008 3:09 PM in response to: Jeff Haynie
Re: Users not being remembered

Also, looking at the source in JiveAuthenticationTranslationFilter the code is harded for this..  does this mean i need to recompile the code to change this.?  please say no.......

 

 

 

 

    protected void addLoginCookie(JiveAuthentication auth, HttpServletRequest request, HttpServletResponse response) {

        if (JiveGlobals.getJiveBooleanProperty(COOKIE_LOGGED_IN + ".cookie", true)) {

        if (auth == null || auth.isAnonymous()) {

        Cookie cookie = CookieUtils.getCookie(request, COOKIE_LOGGED_IN);

        if (cookie != null) {

        CookieUtils.deleteCookie(request, response, cookie);

        }

        }

        else {

        Cookie existing = CookieUtils.getCookie(request, COOKIE_LOGGED_IN);

        if (existing == null || !"true".equals(existing.getValue())) {

        CookieUtils.setCookie(request, response, COOKIE_LOGGED_IN, "true", -1);

        }

        }

        }

    }



Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 13, 2008 3:49 PM in response to: Jeff Haynie
Re: Users not being remembered

This is code that sets the timespan of the cookie that indicates whether you are logged in.  The RememberMeProcessingFilter is what examines the remember me cookie.  I'm investigating where this gets set and what the timespan is.  This is the cookie that you are interested in, correct?

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 13, 2008 4:07 PM in response to: Austen Rustrum
Re: Users not being remembered

Thanks.

 

I'm not sure if this is the right cookie or not ... but it definitely expires upon session exit (that's what the HTTP headers indicate too).

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 14, 2008 6:15 AM in response to: Jeff Haynie
Re: Users not being remembered

Jeff,

 

Can you check your cookies for the expiration date of ACEGI_SECURITY_HASHED_REMEMBER_ME_COOKIE?  This should be two weeks from the time it was last set.  When set (by selecting remember me at the login prompt), this should keep you logged in for up to two weeks.  If this is not set, we'll need to check the security filters that are being applied for the URLs you are accessing to ensure that the RememberMeProcessingFilter is a part of the chain. 

 

Thanks,

Austen

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 14, 2008 11:45 AM in response to: Austen Rustrum
Re: Users not being remembered

The only 3 cookies that are being sent are:

 

- JSESSIONID

- jive.server.info

- jive.recentHistory

 

 

We do have our own authentication filter that hits a different DB for login credentials.  Are we suppose to set this cookie or call something else to make this work?

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 14, 2008 11:53 AM in response to: Jeff Haynie
Re: Users not being remembered

A couple of questions for you:

 

  • Can you post the spring security filter chain that you are using? 
  • Are you using our login form and reaching out to another DB or do you have a full SSO integration?
  • Does your login have the option to "Remember Me"?

 

If you have simply modified the filter chain, you'll probably just need to add back in the rememberMeProcessingFilter.  If you have SSO integration, it would be the responsibility of the SSO solution to set a cookie that Clearspace can consume (via custom code).

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 18, 2008 9:59 AM in response to: Austen Rustrum
Re: Users not being remembered

We're using the out-of-the-box clearspace installation.  Looking the the web.xml in the WAR, there is no remember anything in the file. (see attached copy of web.xml we're running)

 

We are using the default jive login form.  We have simply written a plugin that will talk with our DB to validate credentials and pass back to Jive the info.

 

The "Remeber Me" is in the default Jive login interface.

 

Is there something else we need to do to configure this?

Attachments:
Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 18, 2008 10:37 AM in response to: Jeff Haynie
Re: Users not being remembered

Jeff,

 

Does your plugin have a spring.xml?  If so, can you please post that as an attachment to the case?  The security related changes would be contained in this file, not the web.xml.

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 18, 2008 10:45 AM in response to: Austen Rustrum
Re: Users not being remembered

here's our plugin.

Attachments:
Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 18, 2008 10:59 AM in response to: Jeff Haynie
Re: Users not being remembered

Thanks, this is helpful.  A couple more things:

 

  1. Can I get a copy of the AppceleratorAuthFilter
  2. Can you confirm that the login form for Clearspace has a form field named autoLogin and that the form action is "cs_login"?
Report Abuse
Martin Robinson Novice
Martin Robinson
15 posts since
Oct 10, 2008
Currently Being Moderated
Nov 18, 2008 12:32 PM in response to: Austen Rustrum
Re: Users not being remembered

I can confirm that the form is how you described it. I've also attached a copy of our AuthFilter. There are some odd bits in there, mostly because we want to authenticate users by their emails and not their usernames. Let me know if you have any questions.

Attachments:
Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 20, 2008 10:07 AM in response to: Austen Rustrum
Re: Users not being remembered

You should have a copy of the Auth filter now.  Also, I can confirm that there is an autoLogin field on the login form and the submit action is "cs_login".

 

-Kevin

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 18, 2008 5:27 AM in response to: Jeff Haynie
Re: Users not being remembered

Jeff, any update?

Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 20, 2008 10:24 AM in response to: Austen Rustrum
Re: Users not being remembered

Hi Austen,

 

I am going to be trying to run this down for us - see my update to your last question.  Are there other things I can be looking at that will be of assistance?

Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 20, 2008 10:36 AM in response to: Austen Rustrum
Re: Users not being remembered

Also, as Jeff noted, we don't have any servlet filters defined for "rememberMeFilter" or anything along those lines.

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 21, 2008 8:56 AM in response to: Kevin Whinnery
Re: Users not being remembered

Kevin,

 

The ACEGI security filters are a bit different in that they are defined in the spring.xml file, not the web.xml.  As for the issue you are running across, we have apparently had several reports of the problem and it appears to be due to a recent change in the way Tomcat handles cookies when certain values are placed in the cookie.  We have a defect filed for this (CS-9849) and the fix is currently scheduled for the 2.5.5 release.

 

Thank you all for your help on this issue!

Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 21, 2008 9:09 AM in response to: Austen Rustrum
Re: Users not being remembered

Thanks for the update - is there are workaround available for the issue?

Report Abuse
Jeff Haynie Novice
Jeff Haynie
18 posts since
Sep 3, 2008
Currently Being Moderated
Nov 21, 2008 9:30 AM in response to: Austen Rustrum
Re: Users not being remembered

this is a real big problem for us and our users are constantly complaining about this -- especially our power users who stay on the forums all day.

 

we need a quick workaround -- do we need to downgrade tomcat or something?  can we patch the source ourselves?

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 21, 2008 11:25 AM in response to: Jeff Haynie
Re: Users not being remembered

The bug report states that this started happening in Tomcat 6.0.18.  If you downgrade to a version prior to that, you should see the remember me functionality start to function again.

Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 21, 2008 11:52 AM in response to: Austen Rustrum
Re: Users not being remembered

Is a previous version of Tomcat 6 known to work, or are we talking a downgrade to 5.5?

Report Abuse
Kevin Whinnery Novice
Kevin Whinnery
18 posts since
Nov 20, 2008
Currently Being Moderated
Nov 24, 2008 7:27 AM in response to: Austen Rustrum
Re: Users not being remembered

Also, for the record, we're running Tomcat 6.0.14 - so the issue has likely been around a bit longer...

 

-Kevin

Report Abuse
Austen Rustrum JiveSupport
Austen Rustrum
3,618 posts since
Feb 19, 2008
Currently Being Moderated
Nov 24, 2008 1:10 PM in response to: Kevin Whinnery
Re: Users not being remembered

Kevin,

 

The comment from the assigned developer is that the change took place in the 6.0.18 release of Tomcat, but he could be mistaken.  Can you please confirm that your users are not logging out ant the end of their session?  If you log out, the remember me cookie will be cleared.  Also, would it be possible to use Fire Cookie to get a dump of all