Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-6385

Nexus Cookies do not specify port, resulting in cookies from myhostname:8081 are sent to myhostname:8082

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Environment:
      nexus-professional-2.0-20120119.133103-13-bundle
    • Story Points:
      2

      Description

      I tracked this down to cookies do not typically set the port. So per RFC can be sent to a different server as long as the host name is the same.
      http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific

      Setting the port in the cookie may cause other issues with browsers (and how does this play with firewalls and proxies)

      One simple solution is to make the cookie name configurable. If we ever switch to shiro-guice (which will remove a bunch of other code) we could easily inject/configure the cookie name.

      Or if we are going to keep our boiler plate code, we could configure the cookie name in org.sonatype.nexus.security.NexusWebRealmSecurityManager.init() to call webSessionManager.setSessionIdCookie(...)

      Original Setup:

      I started two nexus pro instances locally.

      Nexus A - http://lcaolhost:8081/nexus - publisher
      Nexus B - http://localhost:8082/nexus - subscriber

      Established a Smart Proxy trust between A and B.

      Created apache-snapshots-proxy repo on Nexus B proxied to Nexus A http://localhost:8081/nexus/content/repositories/apache-snapshots

      Besides logging into the UI only a few times I noticed the following after a short while in the Nexus B logs:

      jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Validating all active sessions...
      jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Finished session validation. [274] sessions were stopped.

      Nexus A seemed to have 169 sessions cleaned up.

      How is it that 274 sessions were created? Are these being created by smart proxy?

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              plynch Peter Lynch
              Reporter:
              plynch Peter Lynch
              Last Updated By:
              Peter Lynch Peter Lynch
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title