Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25046

Cookie header too long, causing a 413 HTTP error

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Major
    • Resolution: Unresolved
    • Component/s: core, extras-executable-war
    • Labels:
      None
    • Environment:
      Jenkins 1.581, launched through the built in Jetty
    • Similar Issues:

      Description

      Each time Jenkins (re)starts, its session-cookie name changes (ie JSESSIONID.some_random_string).

      After a while, the browser have a bunch of session cookies, each one having a different name, causing the "Cookie" request header to be very long. The server returns a HTTP 413 response and a blank page. The user must clean his cookies in order to access Jenkins again.

       

      Workaround: Since Jenkins 2.66 there are custom options for managing Jetty session IDs: https://github.com/jenkinsci/extras-executable-war/#jetty-session-ids

        Attachments

          Issue Links

            Activity

            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Extra options will be available in 2.66, see JENKINS-44894

            Show
            oleg_nenashev Oleg Nenashev added a comment - Extra options will be available in 2.66, see JENKINS-44894
            Hide
            oleg_nenashev Oleg Nenashev added a comment -

            Unassigning myself since I have provided a workaround. If somebody is interested to deliver a fix working out-of-the-box, please feel free to take it

            Show
            oleg_nenashev Oleg Nenashev added a comment - Unassigning myself since I have provided a workaround. If somebody is interested to deliver a fix working out-of-the-box, please feel free to take it
            Hide
            ssbarnea Sorin Sbarnea added a comment -

            The random session generation seems like a really bad design decision. Why not using Jenkins URL as base for a hash function. That's clearly unique per instance, doesn't change often and survives any number of restarts.

            Show
            ssbarnea Sorin Sbarnea added a comment - The random session generation seems like a really bad design decision. Why not using Jenkins URL as base for a hash function. That's clearly unique per instance, doesn't change often and survives any number of restarts.
            Hide
            danielbeck Daniel Beck added a comment -

            Why not using Jenkins URL as base for a hash function

            The session ID is set in a component that is independent from Jenkins and knows nothing about it, when the configured URL is not yet even known, and the configured URL can change at any time (in fact, it will change for every initially configured Jenkins instance). There are so many problems here.

            Although I suppose "All sessions are invalidated when I change the Jenkins URL" would make a fun bug report.

            Show
            danielbeck Daniel Beck added a comment - Why not using Jenkins URL as base for a hash function The session ID is set in a component that is independent from Jenkins and knows nothing about it, when the configured URL is not yet even known, and the configured URL can change at any time (in fact, it will change for every initially configured Jenkins instance). There are so many problems here. Although I suppose "All sessions are invalidated when I change the Jenkins URL" would make a fun bug report.
            Hide
            ssbarnea Sorin Sbarnea added a comment -

            Well, in this case the solution is to save this generated ID in the working directory and always re-use them if found. I doubt anyone would be able to run multiple Jenkins instances from the same working-directory.

            Show
            ssbarnea Sorin Sbarnea added a comment - Well, in this case the solution is to save this generated ID in the working directory and always re-use them if found. I doubt anyone would be able to run multiple Jenkins instances from the same working-directory.

              People

              • Assignee:
                Unassigned
                Reporter:
                ericcitaire Eric Citaire
              • Votes:
                35 Vote for this issue
                Watchers:
                36 Start watching this issue

                Dates

                • Created:
                  Updated: