U4-7538 - GetRemainingTimeoutSeconds is double setting the cookie in 7.4

Created by Shannon Deminick 15 Dec 2015, 11:10:09 Updated by Shannon Deminick 05 Jan 2016, 11:35:25

Relates to: U4-7495

when the GetRemainingSeconds middleware renews it's double setting the cookie, see response:

Set-Cookie:UMB_UCONTEXT=123456789; path=/; expires=Tue, 15-Dec-2015 11:34:23 GMT; HttpOnly Set-Cookie:UMB_UCONTEXT=987654321; path=/; expires=Tue, 15-Dec-2015 11:24:23 GMT; HttpOnly

Comments

Shannon Deminick 15 Dec 2015, 16:19:35

PR here: https://github.com/umbraco/Umbraco-CMS/pull/956


Shannon Deminick 15 Dec 2015, 16:27:52

Here's what was happening:

  • The cookie middleware for the normal back office requests was also renewing the ticket at the same time as our GetUserSecondsMiddleWare when keepuserloggedin = true
  • The GetUserSecondsMiddleWare had a hard code value of 30 mins to slide the expiry but this could get overwritten int he same request by the normal cookie middleware... thus the double cookie write and the cause for this issue: U4-7495

To fix this the standard cookie middleware will ignore all requests for the GetUserSecondsMiddleWare path, therefore this request will never get the ticket renewed by the standard middleware. The GetUserSecondsMiddleWare now uses a separate cookie options instance that only looks for cookies in the path of the GetUserSecondsMiddleWare request. So now anytime the GetUserSecondsMiddleWare, if keepuserloggedin == false, the ticket is never renewed, if keepuserloggedin == true, the ticket will be renewed according to the timeout value in the web.config when it's time for renewal

To test:

  • log out of the back office
  • set keepUserLoggedIn = true
  • change the timeout value in the webconfig umbracoTimeOutInMinutes to 4 minutes
  • log in to the back office
  • watch your chrome tools network requests and watch for /umbraco/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds, verify that there is no Set-Cookie header for most of these requests
  • Once 2 mins goes by (approx), the GetRemainingTimeoutSeconds will renew the ticket and you'll see a single Set-Cookie header value sent back. It's expiry will be now + the umbracoTimeOutInMinutes

NOTE: if you put the umbracoTimeOutInMinutes to something very small like 2 minutes, even with keepUserLoggedIn == true, you'll get logged out because there's a 30 second threshold in JS so 2 minutes isn't long enough to keep the user logged in

Next, test that you get logged out without keepUserLoggedIn

  • log out of the back office
  • set keepUserLoggedIn = false
  • change the timeout value in the webconfig umbracoTimeOutInMinutes to 4 minutes
  • log in to the back office
  • watch your chrome tools network requests and watch for /umbraco/backoffice/UmbracoApi/Authentication/GetRemainingTimeoutSeconds, verify that there is no Set-Cookie for any requests, even at the 2 minute mark
  • You will be logged out at around 3.5+ mins


Priority: Normal

Type: Task

State: Fixed

Assignee:

Difficulty:

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.4.0, 7.3.5

Sprint: Sprint 5

Story Points:

Cycle: