New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HMAC request tokens expiring prematurely: "request did not include a valid token" #960

Closed
operations-ivy opened this Issue Oct 8, 2014 · 25 comments

Comments

Projects
None yet
@operations-ivy

operations-ivy commented Oct 8, 2014

I have to log out/log in for essentially ANY change made to the jobs I'm running currently. I receive the error "The request did not include a valid token, or the token has expired. Please try your request again." 9/10 times when I hit save after editing a jobs details. I'm not waiting an extraordinarily long amount of time before submitting the changes to the job, in some cases I'm hitting save seconds after logging in, and still get the error.

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Oct 8, 2014

Member

the tokens are stored in the session to track them. i wonder if the page html is cached in some way on the browser. Do you log in, then click on Edit, and submit the page right away?

One thing you can try, set rundeck.security.useHMacRequestTokens=false in the rundeck-config.properties file. This will then use UUIDs instead of the hmac tokens, which means they should not expire. If you still have the same problem, it's something to do with the session.

mentioned here: http://rundeck.org/docs/administration/configuration-file-reference.html#security

Member

gschueler commented Oct 8, 2014

the tokens are stored in the session to track them. i wonder if the page html is cached in some way on the browser. Do you log in, then click on Edit, and submit the page right away?

One thing you can try, set rundeck.security.useHMacRequestTokens=false in the rundeck-config.properties file. This will then use UUIDs instead of the hmac tokens, which means they should not expire. If you still have the same problem, it's something to do with the session.

mentioned here: http://rundeck.org/docs/administration/configuration-file-reference.html#security

@r3cgm

This comment has been minimized.

Show comment
Hide comment
@r3cgm

r3cgm Oct 9, 2014

I had the same issue, and the workaround suggested above worked for me. I wonder why a subset of us are having this issue? I'm running Ghostery and Disconnect plugins for Safari, for what it's worth.

r3cgm commented Oct 9, 2014

I had the same issue, and the workaround suggested above worked for me. I wonder why a subset of us are having this issue? I'm running Ghostery and Disconnect plugins for Safari, for what it's worth.

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Oct 9, 2014

Member

did you try disabling those plugins?

Member

gschueler commented Oct 9, 2014

did you try disabling those plugins?

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Oct 9, 2014

Member

fyi: I've had trouble with ghostery and javascript on pages in the past

Member

gschueler commented Oct 9, 2014

fyi: I've had trouble with ghostery and javascript on pages in the past

@r3cgm

This comment has been minimized.

Show comment
Hide comment
@r3cgm

r3cgm Oct 9, 2014

I reenabled HMacRequestTokens so I could test with these browser extensions disabled, and now I can't get the problem to express itself. Tried 20 different edits/saves. Previously after just a few saves I would start getting failures about 2/3rds of the time. In any case, if others have the same issue maybe we should compare notes and try to figure out what we might have in common.

r3cgm commented Oct 9, 2014

I reenabled HMacRequestTokens so I could test with these browser extensions disabled, and now I can't get the problem to express itself. Tried 20 different edits/saves. Previously after just a few saves I would start getting failures about 2/3rds of the time. In any case, if others have the same issue maybe we should compare notes and try to figure out what we might have in common.

@operations-ivy

This comment has been minimized.

Show comment
Hide comment
@operations-ivy

operations-ivy Oct 9, 2014

This fixed the issue. Is there a downside to diabling tokens?

operations-ivy commented Oct 9, 2014

This fixed the issue. Is there a downside to diabling tokens?

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Oct 9, 2014

Member

the tokens are not disabled, it just switches to using a different type of token that do not expire as long as your session is active on the server.

Member

gschueler commented Oct 9, 2014

the tokens are not disabled, it just switches to using a different type of token that do not expire as long as your session is active on the server.

@vroumvroum

This comment has been minimized.

Show comment
Hide comment
@vroumvroum

vroumvroum Nov 6, 2014

I had the same issue. Disabling HMacRequestTokens worked. I'm running 2.3.1 release under Tomcat Application Server

vroumvroum commented Nov 6, 2014

I had the same issue. Disabling HMacRequestTokens worked. I'm running 2.3.1 release under Tomcat Application Server

@jasonhensler

This comment has been minimized.

Show comment
Hide comment
@jasonhensler

jasonhensler Nov 19, 2014

Contributor

We have been having issues as well with the tokens timing out. We are using 2.3.2 on a tomcat server. What is the default timeout, I couldn't find it in the documentation?

Contributor

jasonhensler commented Nov 19, 2014

We have been having issues as well with the tokens timing out. We are using 2.3.2 on a tomcat server. What is the default timeout, I couldn't find it in the documentation?

@kshkuratoff

This comment has been minimized.

Show comment
Hide comment
@kshkuratoff

kshkuratoff Nov 26, 2014

I'm definitely having this issue also. It makes it really hard to edit jobs, it happens really frequently while I'm working (and you lose your changes), Circling through trying it again a few times (5?) and it'll eventually usually go through (this is without logging out of/into of rundeck - still within the same session). I agree with the first post - it doesnt seem to be predictable - short time, long time, repeatedly in a row and then it finally works (doing exactly the same thing).

kshkuratoff commented Nov 26, 2014

I'm definitely having this issue also. It makes it really hard to edit jobs, it happens really frequently while I'm working (and you lose your changes), Circling through trying it again a few times (5?) and it'll eventually usually go through (this is without logging out of/into of rundeck - still within the same session). I agree with the first post - it doesnt seem to be predictable - short time, long time, repeatedly in a row and then it finally works (doing exactly the same thing).

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Nov 26, 2014

Member

perhaps uuid tokens should be set as default then

Member

gschueler commented Nov 26, 2014

perhaps uuid tokens should be set as default then

@kshkuratoff

This comment has been minimized.

Show comment
Hide comment
@kshkuratoff

kshkuratoff Nov 27, 2014

I still think a timed expiry of some sort is probably desirable security wise (though wearing my developer hat I like extended sessions). It doesn't appear to be just a case of a missing redirect to login (if expired), because I'd expect to never succeed at saving a project if session was truly expired. But, without a fresh log in, I can eventually succeed at saving if I try enough times, which seems like a slightly deeper issue.

kshkuratoff commented Nov 27, 2014

I still think a timed expiry of some sort is probably desirable security wise (though wearing my developer hat I like extended sessions). It doesn't appear to be just a case of a missing redirect to login (if expired), because I'd expect to never succeed at saving a project if session was truly expired. But, without a fresh log in, I can eventually succeed at saving if I try enough times, which seems like a slightly deeper issue.

@gschueler gschueler added this to the 2.4.0 milestone Dec 3, 2014

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Dec 3, 2014

Member

i will switch the default to uuid tokens. uuid tokens will expire when the user session expires. If HMAC tokens are desired, they will need to be explicitly enabled with rundeck.security.useHMacRequestTokens=true. I agree, there is some other bug causing unexpected token timeouts.

Member

gschueler commented Dec 3, 2014

i will switch the default to uuid tokens. uuid tokens will expire when the user session expires. If HMAC tokens are desired, they will need to be explicitly enabled with rundeck.security.useHMacRequestTokens=true. I agree, there is some other bug causing unexpected token timeouts.

@gschueler gschueler modified the milestones: 2.x, 2.4.0 Dec 3, 2014

@gschueler gschueler changed the title from constantly getting "The request did not include a valid token, or the token has expired. Please try your request again. " to HMAC request tokens expiring prematurely: "request did not include a valid token" Dec 3, 2014

@gschueler gschueler added the bug label Dec 3, 2014

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Dec 3, 2014

Member

ok had a chance to dig into this, I think the bug is that sometimes the same token is generated for multiple parts of the job edit form. when the token is used by modifying a step for example, it is no longer valid for the form itself. It can occur occasionally due to the way tokens are generated using timestamps. so the fix will be to make sure not to generate the same token twice.

Member

gschueler commented Dec 3, 2014

ok had a chance to dig into this, I think the bug is that sometimes the same token is generated for multiple parts of the job edit form. when the token is used by modifying a step for example, it is no longer valid for the form itself. It can occur occasionally due to the way tokens are generated using timestamps. so the fix will be to make sure not to generate the same token twice.

@AndyBerman

This comment has been minimized.

Show comment
Hide comment
@AndyBerman

AndyBerman Dec 23, 2014

I'm getting the same error on 2.4.0:

The request did not include a valid token, or the token has expired. Please try your request again.

I tried setting rundeck.security.useHMacRequestTokens=false, but that did not help.

AndyBerman commented Dec 23, 2014

I'm getting the same error on 2.4.0:

The request did not include a valid token, or the token has expired. Please try your request again.

I tried setting rundeck.security.useHMacRequestTokens=false, but that did not help.

@gschueler

This comment has been minimized.

Show comment
Hide comment
@gschueler

gschueler Dec 30, 2014

Member

@AndyBerman what action were you performing?

Member

gschueler commented Dec 30, 2014

@AndyBerman what action were you performing?

@AndyBerman

This comment has been minimized.

Show comment
Hide comment
@AndyBerman

AndyBerman Dec 30, 2014

I was trying to edit an existing option for a job I had created.

On Tuesday, December 30, 2014, Greg Schueler notifications@github.com
wrote:

@AndyBerman https://github.com/AndyBerman what action were you
performing?


Reply to this email directly or view it on GitHub
#960 (comment).

AndyBerman commented Dec 30, 2014

I was trying to edit an existing option for a job I had created.

On Tuesday, December 30, 2014, Greg Schueler notifications@github.com
wrote:

@AndyBerman https://github.com/AndyBerman what action were you
performing?


Reply to this email directly or view it on GitHub
#960 (comment).

@AndyBerman

This comment has been minimized.

Show comment
Hide comment
@AndyBerman

AndyBerman Jan 9, 2015

I can't reproduce this anymore. I'm using Chrome now which appears better than IE.

AndyBerman commented Jan 9, 2015

I can't reproduce this anymore. I'm using Chrome now which appears better than IE.

@memelet

This comment has been minimized.

Show comment
Hide comment
@memelet

memelet Nov 26, 2015

What was the fix that closed this issue? I can't edit command more then a few times before being forced to refresh and reenter everything.

memelet commented Nov 26, 2015

What was the fix that closed this issue? I can't edit command more then a few times before being forced to refresh and reenter everything.

@kshkuratoff

This comment has been minimized.

Show comment
Hide comment
@kshkuratoff

kshkuratoff Nov 26, 2015

The proper fix was done by Greg about a year ago to do with the token generation.
4a27a33

The temporary fix that we applied (which might work for you as well) was to change the token setting in Config.groovy to false
rundeck.security.useHMacRequestTokens=false

kshkuratoff commented Nov 26, 2015

The proper fix was done by Greg about a year ago to do with the token generation.
4a27a33

The temporary fix that we applied (which might work for you as well) was to change the token setting in Config.groovy to false
rundeck.security.useHMacRequestTokens=false

@memelet

This comment has been minimized.

Show comment
Hide comment
@memelet

memelet Nov 27, 2015

I've set rundeck.security.useHMacRequestTokens=false, but still get timed within a few minutes. But only on the commands tabs it seems. (Or at least mostly)

memelet commented Nov 27, 2015

I've set rundeck.security.useHMacRequestTokens=false, but still get timed within a few minutes. But only on the commands tabs it seems. (Or at least mostly)

@shlomoa

This comment has been minimized.

Show comment
Hide comment
@shlomoa

shlomoa Oct 15, 2017

Still happening, with login module: activedirectory

shlomoa commented Oct 15, 2017

Still happening, with login module: activedirectory

@pixdrift

This comment has been minimized.

Show comment
Hide comment
@pixdrift

pixdrift Dec 14, 2017

Also still seeing this with Rundeck 2.10.0-1 using preauthenticated

pixdrift commented Dec 14, 2017

Also still seeing this with Rundeck 2.10.0-1 using preauthenticated

@brutus333

This comment has been minimized.

Show comment
Hide comment
@brutus333

brutus333 Mar 30, 2018

I am seeing the same with Rundeck 2.10.0-1 and local authentication

brutus333 commented Mar 30, 2018

I am seeing the same with Rundeck 2.10.0-1 and local authentication

@smysnk

This comment has been minimized.

Show comment
Hide comment
@smysnk

smysnk Sep 7, 2018

Also seeing this in Rundeck 3.0.5 and pre-auth

smysnk commented Sep 7, 2018

Also seeing this in Rundeck 3.0.5 and pre-auth

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment