[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

[email protected] (JIRA) Tue, 15 Jan 2013 07:57:06 -0800

commit a9aff088 [SECURITY-49] introduced a change in signature generation for the remember me token in jenkins/core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java:
String expectedTokenSignature = MAC.mac(userDetails.getUsername() + ":" + tokenExpiryTime + ":" + "N/A" + ":" + getKey());

This code is used to VERIFY a cookie sent to Jenkins. The new verification process seems fine, but the change in code is NOT reflected in org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices.class . loginSuccess, where remember me cookies are created and sent to the user. Here, the old signature generation is still being used:
String signatureValue = DigestUtils.md5Hex(username + ":" + expiryTime + ":" + password + ":" + key);

I suggest either @Overriding TokenBasedRememberMeServices.loginSuccess in /jenkins-core/src/main/java/hudson/security/TokenBasedRememberMeServices2.java as well to rely on TokenBasedRememberMeServices2.makeTokenSignature, or revert to the old md5 signature.

Any comments?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[JIRA] (JENKINS-16278) "Remember me on this computer" does not work, cookie is not accepted in new session

Reply via email to