Bug 1270436 - Could not log in when client clock is > 5 minutes ahead of server clock
Could not log in when client clock is > 5 minutes ahead of server clock
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.3.0
Unspecified Unspecified
high Severity low
: ---
: 3.7.0
Assigned To: Jordan Liggitt
yapei
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-10 01:39 EDT by yapei
Modified: 2017-11-28 16:51 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-11-28 16:51:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
IE11.0.14 (64.49 KB, image/png)
2015-10-10 01:40 EDT, yapei
no flags Details
IE11.0.19 (51.09 KB, image/png)
2015-10-10 01:41 EDT, yapei
no flags Details
IE11.0.7 (22.12 KB, image/png)
2015-10-10 01:41 EDT, yapei
no flags Details
IE 11.0.9 working.png (47.67 KB, image/png)
2015-10-11 20:56 EDT, Jordan Liggitt
no flags Details
Login captures with fiddler (222.43 KB, application/zip)
2015-10-12 01:52 EDT, yapei
no flags Details
Clean login captures (82.62 KB, application/zip)
2015-10-12 02:21 EDT, yapei
no flags Details
Successful login capture (86.29 KB, application/zip)
2015-10-12 23:13 EDT, yapei
no flags Details

  None (edit)
Description yapei 2015-10-10 01:39:32 EDT
Description of problem:
Login with correct username and password on web console for IE 11.0.9, 11.0.14 and 11.0.19 failed, it stays on the login page instead of directing to home page. But on IE 11.0.7, login is successful 

Version-Release number of selected component (if applicable):
Version:11.0.9600.17420  Update Versions:11.0.14
Version:11.0.9600.17801  Update Versions:11.0.19
Version:11.0.9600.16428  Update Versions:11.0.9

How reproducible:
Always

Steps to Reproduce:
1.Start Openshift
2.Open web console
3.Login with correct username and password

Actual results:
The console didn't go to home page, instead it stays on the login page and waits for another login, see attachments

Expected results:
Should login successfully

Additional info:
Comment 1 yapei 2015-10-10 01:40 EDT
Created attachment 1081510 [details]
IE11.0.14

This VM is got from Microsoft http://dev.modern.ie/tools/vms/linux/
Comment 2 yapei 2015-10-10 01:41 EDT
Created attachment 1081511 [details]
IE11.0.19
Comment 3 yapei 2015-10-10 01:41 EDT
Created attachment 1081512 [details]
IE11.0.7
Comment 4 yapei 2015-10-10 01:44:37 EDT
Not sure about other versions, only have environment cover version 11.0.7, 11.0.9, 11.0.14 and 11.0.19
Comment 5 Jordan Liggitt 2015-10-11 20:56:23 EDT
I can't reproduce on IE 11.0.9... login works fine (see screenshot)

Can you verify the security and privacy settings are at their defaults?

Tools > Internet Options > Security
Tools > Internet Options > Privacy
Comment 6 Jordan Liggitt 2015-10-11 20:56 EDT
Created attachment 1081845 [details]
IE 11.0.9 working.png
Comment 7 Jordan Liggitt 2015-10-11 20:58:29 EDT
Actually, I misread... I have 11.0.14, but it is working fine as far as I can tell.
Comment 8 yapei 2015-10-11 23:40:26 EDT
(In reply to Jordan Liggitt from comment #7)
> Actually, I misread... I have 11.0.14, but it is working fine as far as I
> can tell.

Hi Jordan, I performed "Reset all zones to default level" for "Internet Options -> Security" setting, and compared the "Privacy" setting with 11.0.7 on my machine, they're the same.

But I still can't login, see screen-shots. Any chances to tell me your settings?
Comment 9 Jordan Liggitt 2015-10-12 00:01:43 EDT
All defaults for security and privacy.

Can you capture a fiddler trace of the login flow using the fiddler proxy on the IE VM (http://www.telerik.com/fiddler)?

You'll need to run the installer, start fiddler, set it to capture traffic, and enable the option to decrypt HTTPS traffic (Options > HTTPS > Decrypt). Follow the prompts to create/install a local CA.

Then, with a cleared cache, go through the login flow, then export the fiddler data and attach it.
Comment 10 yapei 2015-10-12 01:52 EDT
Created attachment 1081872 [details]
Login captures with fiddler
Comment 11 yapei 2015-10-12 02:21 EDT
Created attachment 1081890 [details]
Clean login captures
Comment 12 Jordan Liggitt 2015-10-12 11:13:20 EDT
Can you check if the times in your IE VMs are in sync with your OpenShift server? The session cookies getting sent from the server (which are valid for 5 minutes) are not being returned by IE, and I'm wondering if it's a timestamp sync issue.
Comment 13 yapei 2015-10-12 22:52:47 EDT
times in my failure IE VM are the same with my local machine, take an example

Time in failure IE VM: 10:33 am, 10/13/2015
Time on local machine: 10:33 am, 10/13/2015
Corresponding time in Openshift Server: Tue Oct 13 02:33:24 UTC 2015

I have IE installed on two different VMs, these two VMs keeps the same time, but one could login successful while the other not.
Comment 14 yapei 2015-10-12 23:13 EDT
Created attachment 1082223 [details]
Successful login capture
Comment 15 Jordan Liggitt 2015-10-13 11:14:19 EDT
Can you check the timezones in the IE vms match each other? I still wonder if the issue is time related
Comment 16 yapei 2015-10-13 21:49:41 EDT
Good news, found the root cause, here are steps
1)Change the timezones in two IE VMs to "UTC +08:00",keep the same with my local machine.
In this step, I found that time in failure IE VMs are different with the correct time.
2) So I manually adjusted the time to correct time

After these steps, could login successfully.

Any reason for this time syncing problem?
Comment 17 Jordan Liggitt 2015-10-14 15:26:34 EDT
The session cookie required for login is set to expire after 5 minutes. If the browser's OS is more than 5 minutes ahead of the server, it will expire the cookie immediately and login will fail.

May need to set the cookie for a longer expiration, and an internal timestamp for the short expiration and check session validity ourselves.
Comment 18 Jordan Liggitt 2015-10-16 12:01:21 EDT
Updated title to reflect cause.
Comment 19 Jordan Liggitt 2017-09-08 10:08:49 EDT
Fixed in https://github.com/openshift/origin/pull/13180
Comment 20 yapei 2017-09-13 04:11:55 EDT
Checked on v3.7.0-0.125.0

The issue on IE is fixed, move to VERIFIED
Comment 24 errata-xmlrpc 2017-11-28 16:51:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.