Daily logouts from wiki, even with remember-me

webminster · August 12, 2022, 3:55pm

I’ve been seeing in our installations (on Ubuntu with the deb packages, versions from 13.9 to 13.10.8) that my login to the wiki expires after 24 hours. Even though I select “remember me”, and I’ve cleared cookies for good measure, I get thrown back to login screen every day. This just leave the browser open, and reloading next morning.

I see none of the cookies expire, and the JSESSIONID cookie is marked expire on next session… but I’m not closing the browser. Also happening on Chrome and Firefox 103. If it makes difference, am using LDAP logins with Active Directory.

Is there some setting somewhere that might have gotten fubar’ed that controls this? What debugging hints are there? Thanks in advance.
-Alan

webminster · August 15, 2022, 2:43pm

I see some log messages around the times I have to log in, what do these mean?

2022-08-15 14:33:42,756 [ajp-nio-8009-exec-4 - https://wiki.ss.saas.xx.com/xwiki/bin/ssx/XWiki/Mentions/MentionsMacro?language=en&docVersion=3.1] WARN u.i.x.MyPersistentLoginManager - Login cookie validation hash mismatch! Cookies have been tampered with
2022-08-15 14:39:37,644 [ajp-nio-8009-exec-1 - https://wiki.ss.saas.xx.com/xwiki/bin/view/CCoE/Developer%20Resources/CCoE%20Jenkins/Pipeline%20Examples/?srid=HlbVgPHU] WARN u.i.x.MyPersistentLoginManager - Login cookie validation hash mismatch! Cookies have been tampered with

webminster · August 15, 2022, 2:46pm

Maybe I should note this is running on Ubuntu 18 with tomcat 8 as container.

webminster · August 16, 2022, 3:01pm

Can anyone give me any hints? I’ve tried Java 8 and 11, and tomcat8 and tomcat9 containers, and that doesn’t help.
-Alan

watery · August 19, 2022, 7:56am

No idea, but I tried the “remember me” and gone over 36 hours so far, without closing the browser and even with closing it. The login has been kept.

Seen those messages when I misconfigured these:

#-# Cookie encryption keys. You SHOULD replace these values with any random string,
#-# as long as the length is the same.
xwiki.authentication.validationKey=totototototototototototototototo
xwiki.authentication.encryptionKey=titititititititititititititititi

https://github.com/xwiki/xwiki-platform/blob/master/xwiki-platform-tools/xwiki-platform-tool-configuration-resources/src/main/resources/xwiki.cfg.vm#L316

As stated, you can (and should) change them, but they must exactly be of that same length, not one character more, not one less.

watery · August 19, 2022, 8:03am

Ah, I should add that I just have XWiki on Tomcat, HTTP only and without any webserver in front of it.

webminster · August 19, 2022, 4:41pm

Thanks for the reply. This is something that has happened at some point, I think during an upgrade of xwiki. I have checked my keys as you showed above, and they’re the same as I’ve used since the beginning, and they worked fine.

So the xwiki.authentication.validationKey and xwiki.authentication.encryptionKey options don’t seem to point to the issue from what I see.

pdwalker · August 22, 2022, 7:00am

I have a Ubuntu 18 and Tomcat 9 installation with xwiki 14.x and I have no issues with being disconnected.

Do you know where your persistent data is being stored? Is there something else coming along and cleaning the data up?