Frequent logouts and Session swap / hijack in JIRA
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The steps outlined on this article are provided AS-IS. This means we've had reports of them working for some customers — under certain circumstances — yet are not officially supported, nor can we guarantee they'll work for your specific scenario.
You may follow through and validate them on your own non-prod environments prior to production or fall back to supported alternatives if they don't work out.
We also invite you to reach out to our Community for matters that fall beyond Atlassian's scope of support!
Symptoms
Frequent logouts and sessions getting swapped (or hijacked) for some logged in users. When session swap / hijack happens you would see someone else's name as logged in user on top right and if you do not notice and create an issue or comment, it will go as the other user. Conversely, you may find an issue or comment created by your name but you didn't do it.
Diagnosis
Jira is integrated with Apache as per Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http), or a misconfigured LDAP.
Cause
- If use Apache as reverse proxy (mod_proxy) for JIRA server as it handles SSL and talks to JIRA at port 8080 via ProxyPass.
- Using mod_cache's disk based caching for all URLs.
Use of mod_cache is known to create problem of session mix ups when Apache is used as reverse proxy with JIRA. Since Apache had been running possibly as long as the uptime of JIRA server which is 101 days, its cache got into a bad state as seen by errors in ssl_error_log file, creating a situation where it started to either drop or mix up JSESSIONID cookie sent by JIRA to client. This results in logout of client or worse session mixups.
- Additionally if the LDAP is not configured as per RFC, as detailed in JRASERVER-47583 - Integrating with LDAP causes session hijacking when the user unique ID attribute is not unique, this behaviour can occur.
Error in ssl_error_log:
[xxx xxx xx xx:xx:xx xxxx] [error] (103) Software caused connection abort: cache: error returned while trying to return disk cached dataWorkaround
For Apache:
Restart of Apache itself fixed the issue, but for future following lines have been commented in /etc/httpd/conf/httpd.conf, which is also recommended configuration.
#<IfModule mod_disk_cache.c>
# CacheEnable disk /
# CacheRoot "/var/cache/mod_proxy"
#</IfModule>
For LDAP:
The LDAP engine must not be configured to have a 'user unique ID attribute' (ldap.external.id) that is not unique. This is documented in RFC 2307.