We have a number of Atlassion products: Confluence, Jira, Bamboo, and Fisheye/Crucible. For Confluence, Jira, and Bamboo when I log in I get a session (cookie?) which lasts for a very long time (many days, at least) or even "forever" (until the service is restarted anyway).
But for Fisheye/Crucible, I am forced to log after a relatively short amount of inactivity (like an hour or a small number of hours).
This is extremely annoying; for example I may spend a long time doing a code review without noticing that I was logged out the whole time, until I want to add a comment. Now all that time I spent doing the code review is not tracked.
I've not found any way to change the session timeout for Fisheye/Crucible like I can for the other tools. How can I do this?
I found this question: https://answers.atlassian.com/questions/98209/change-automatic-logout-value but the answer points to a deleted page.
The root cause of this has indeed been found and a fix will be available in the upcoming 3.2.0 version of FishEye/Crucible.
There was a race condition, when a user's session had timed out, and a rememberme cookie was present. The first request would always reset the rememberme cookie, and the second would lose the race and be logged out.
In the meantime, please work around this issue by increasing the session timeout: https://confluence.atlassian.com/display/CRUCIBLE027/Increasing+the+session+timeout
Thanks for this info Nick. We've already (long since) upped the timeout to as high as it will go, but we still see these issues. It seems that if you use multiple tabs in your browser (such as if you click a link in your email and have your browser set to open a new tab for each page request) that it will quite often get confused about login when the new tab opens. I've found that it is a little bit less logout-prone if you're careful to never have more than one browser tab at a time using the fisheye site. However, it still logs you out fairly regularly. I'm hoping the new version will fix this problem for good.
The upcoming version 3.2.0, due out at the end of November will contain the fix.
We have been running with this version and fix internally for about 2 weeks now, and it is indeed very robust. I believe you will see a massive improvement when you get to upgrade to this newer version once it is released.
What version of FishEye/Crucible are you running? For the last several releases we have defaulted to forcing remember-me as on and setting a year-long timeout on the remember me cookie.
The page that answer references was deleted because it described a process which is not relevant to current releases of FishEye/Crucible.
If you are running a recent version of FishEye/Crucible (2.7 or newer) then it is possible you are hitting a bug or misconfiguration which is causing the remember me cookie not to be saved.
Hi Richard; thanks for the response. We are running "Version:2.10.1 Build:20130129025917 2013-01-29". We did upgrade to this version a few weeks ago from a MUCH older version (I forget which now). So it's possible there's some old configuration lying around. Where should I go to look for that?
On my system I don't even get a "remember me" box to check when I log in...
Could you verify it is happening consistently accross different browsers?
It would be useful to understand a bit more about your setup. Are you accessing FishEye/Crucible directly or do you have a server in between acting as an AJP or HTTP proxy? Is your site url setup correctly?
Hi Richard. Yes, it happens from different browsers: it impacts all users regardless of whether they use Firefox, Chrome, or Safari on Linux and MacOS (we don't have any IE users here that I'm aware of--our Windows users use Firefox or Chrome). Unfortunately I'm really not familiar with all this webbiness: my day job is a low level systems/network software developer. We do connect directly to the server, no proxy server. The site url says: not set (defaults to http://tools/fisheye) and that's how we access it, via that URL.
You need to provide more details about what is causing the logout ?
Is the remember cookie set in you browser ?
Do you have any custom authentication configured ?
How often does it happen ?
What appears to trigger this ?
What do you see in the fisheye log files when this happens ?
Anything like: "cannot re-authenticate user" ?
I definitely have cookies remembered: all my other Atlassian products (Jira, Confluence, Bamboo) have no problems remembering my login session for days or even weeks. It only happens with Crucible.
I'm using Chrome 31.0.1650.63 on GNU/Linux as my browser.
We are using crowd for authentication.
It seems triggered (now, since upgrading to 3.2) simply by waiting long enough. If I do the same thing after waiting only 10 minutes or so, it's fine and I'm not logged out. Before 3.2, it would happen much more often if you opened multiple tabs (the different tabs seemed to fight over which was logged in) but that part appears to be fixed now with 3.2.
I don't see anything interesting or useful in the log files. There are some Java stack traces there but nothing matching "authent" at all. Most of the lines are marked as "fisheye"; is there something else we need to do to get crucible logs or are they the same thing?
Hi Nick; I'd love to work with you on this. However I'm a systems software developer and have no real experience with web development or administration, and I have lots of other priorities so I don't have time to learn about it all unfortunately. But I can try to provide specific, targeted information. I was trying to work with Atlassian support last year but simply couldn't provide all the detailed information they were looking for or perform the experiments they were interested in, and once I heard that others had this same issue, I simply let the support case lapse. It's CRC-5208 if that has any value.
I have no idea what is causing the log out. But if I'm using Crucible (I don't actually use Fisheye directly much at all) and I'm logged in, then I go do some other work for a while (a few hours or so) where I'm not using Crucible for that time, then I get an email from Crucible (for example) that I need to do a code review and I click the link so it opens a new tab in my browser, then I see I'm no longer logged in and I have to log in again. It's not just an email link though: if I go to the site directly I also am no longer logged in.
We are on Crucible Version:3.2.4 and are experiencing the same premature log-out issue.
In FireFox 26.0 on Ubuntu, I see the following behavior:
* Log in successfully; cookies contain *FESESSIONID* and *remember* (remember has an Expires of 1 year).
* Keep page open in browser (doesn't seem to matter which page)
* After 73 minutes on the page, a GET request to /user/USERNAME?ajax=true is made (where USERNAME is a placeholder for my user identifier). The response contains a Set-Cookie header which changes *FESESSIONID* and *crucibleprefs1*, and deletes *remember*
Note: I performed this test once, so I don't know if the time it takes to reset is consistent.
I do not see anything wonky in the logs at that time.
Let me know if you need more data or if there's a ticket I can add detail to (or vote for)
It seems like a bug. Would you consider raising a support case (support.atlassian.com) attaching HAR file with full activity of your browser? In Chrome you can save HAR file natively, just open Network tab in Developer tools, then open fisheye URL and try to repeat the issue, waiting for your user to be logged out. Finally right click in the Network tab and select "save as HAR with content". I'm not sure if HAR file can be generated by vanilla FireFox, but I believe Firebug extension can do it too.
Please note har file would contain your password in clear text if you login to fisheye, so either login before opening Network tab (just load any fisheye page after opening Network tab so we have original cookies) or user fake user with fake password if possible.
Kind regards, Piotr
Some people are reporting this issue still persists in 3.2.0.
We are interested in getting to the bottom of this. We have not had any reports of the issue continuing to occur on any of our internal FishEye/Crucible instances since the upgrade to 3.2.0.
Just some background as to how remember me works in FishEye/Crucible. Any assistance in diagnosing the problem from your end would be very helpful.
FishEye uses two cookies to manage sessions and rememberme functionality.
FESESSIONID represents a user session on the server and expires when you close the browser. It gets reset when a user logs in again.
A user can 'log in' in multiple ways:
1. via the login form
2. via a special Cookie called: 'remember'
The remember cookie is valid for 12 months from last activity. It contains a special hashcode, which is as good as a password to authenticate a user. If there is no FESESSIONID cookie present in a request, then the remember cookie will be used to log the user in, and an FESESSIONID will be created and used to authorize subsequent requests.
If you could check that these cookies are working as expected in your environment when you are seeing this behaviour it would help immensley in diagnosing the problem. There definitely was a race condition pre-3.2.0 which caused one request to log the subsequent request out of FishEye. This issue has been resolved as far as we can tell. There may be something else occurring causing the behaviour you are now seeing.
I agree with Albert. This is definitely not fixed.
Over the break we upgraded to F+C 3.2.3. Although the timeout issue appears _slightly_ more sane than before (in that if I click a link to a crucible review that I get in email and it opens a new tab in my browser, it doesn't always require me to log in), it's still the case that I need to log into F+C multiple times a day.
How can I fix it so that Fisheye+ Crucible works like Jira, Bamboo, and Confluence and when I log in I _stay_ logged in for multiple days in a row?
3.2.0 was released on November 27! 3.2.1 is already hot off the press: https://www.atlassian.com/software/fisheye/download
I am certain you will see a vast improvement in inadvertant logouts with the Remember Me cookie set with this release.
Hi Paul, Sorry about that. The release went out on time, however the website will be updated today or tomorrow sometime. For what's new, see https://confluence.atlassian.com/display/FISHEYE/FishEye+3.2+release+notes and also be sure to study the Upgrade Guide: https://confluence.atlassian.com/display/FISHEYE/FishEye+upgrade+guide
Er... ugh. I've been going to https://www.atlassian.com/software/fisheye/overview then clicking "What's New" to see what the latest release is, and the only releases documented there are 3.1 (and below).
Is this not public yet, or is the website just not updating properly for me?
I'll schedule a downtime to upgrade and let you know how it goes!
Timeouts have improved on our systems (FE/Cruc 3.1.4) with session-timeout set to 120. However, I haven't been able to find anything on what the maximum setting is? Is there any reason I can't make it 600?
I also ran across this snippet on Stackoverflow but haven't been able to verify:
One other thing to note - setting the value to 0 or less in the web.xml means sessions will never timeout (not as long as the servlet container is alive anyway).
We know that great teams require amazing project management chops. It's no surprise that great teams who use Jira have strong project managers, effective workflows, and secrets that bring planning ...