1270436 – Could not log in when client clock is > 5 minutes ahead of server clock

Bug 1270436 - Could not log in when client clock is > 5 minutes ahead of server clock

Summary: Could not log in when client clock is > 5 minutes ahead of server clock

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	low
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Jordan Liggitt
QA Contact:	Yadan Pei
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-10-10 05:39 UTC by Yadan Pei
Modified:	2017-11-28 21:51 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 21:51:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
IE11.0.14 (64.49 KB, image/png) 2015-10-10 05:40 UTC, Yadan Pei	no flags	Details
IE11.0.19 (51.09 KB, image/png) 2015-10-10 05:41 UTC, Yadan Pei	no flags	Details
IE11.0.7 (22.12 KB, image/png) 2015-10-10 05:41 UTC, Yadan Pei	no flags	Details
IE 11.0.9 working.png (47.67 KB, image/png) 2015-10-12 00:56 UTC, Jordan Liggitt	no flags	Details
Login captures with fiddler (222.43 KB, application/zip) 2015-10-12 05:52 UTC, Yadan Pei	no flags	Details
Clean login captures (82.62 KB, application/zip) 2015-10-12 06:21 UTC, Yadan Pei	no flags	Details
Successful login capture (86.29 KB, application/zip) 2015-10-13 03:13 UTC, Yadan Pei	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description Yadan Pei 2015-10-10 05:39:32 UTC

Description of problem:
Login with correct username and password on web console for IE 11.0.9, 11.0.14 and 11.0.19 failed, it stays on the login page instead of directing to home page. But on IE 11.0.7, login is successful 

Version-Release number of selected component (if applicable):
Version:11.0.9600.17420  Update Versions:11.0.14
Version:11.0.9600.17801  Update Versions:11.0.19
Version:11.0.9600.16428  Update Versions:11.0.9

How reproducible:
Always

Steps to Reproduce:
1.Start Openshift
2.Open web console
3.Login with correct username and password

Actual results:
The console didn't go to home page, instead it stays on the login page and waits for another login, see attachments

Expected results:
Should login successfully

Additional info:

Comment 1 Yadan Pei 2015-10-10 05:40:44 UTC

Created attachment 1081510 [details]
IE11.0.14

This VM is got from Microsoft http://dev.modern.ie/tools/vms/linux/

Comment 2 Yadan Pei 2015-10-10 05:41:16 UTC

Created attachment 1081511 [details]
IE11.0.19

Comment 3 Yadan Pei 2015-10-10 05:41:37 UTC

Created attachment 1081512 [details]
IE11.0.7

Comment 4 Yadan Pei 2015-10-10 05:44:37 UTC

Not sure about other versions, only have environment cover version 11.0.7, 11.0.9, 11.0.14 and 11.0.19

Comment 5 Jordan Liggitt 2015-10-12 00:56:23 UTC

I can't reproduce on IE 11.0.9... login works fine (see screenshot)

Can you verify the security and privacy settings are at their defaults?

Tools > Internet Options > Security
Tools > Internet Options > Privacy

Comment 6 Jordan Liggitt 2015-10-12 00:56:56 UTC

Created attachment 1081845 [details]
IE 11.0.9 working.png

Comment 7 Jordan Liggitt 2015-10-12 00:58:29 UTC

Actually, I misread... I have 11.0.14, but it is working fine as far as I can tell.

Comment 8 Yadan Pei 2015-10-12 03:40:26 UTC

(In reply to Jordan Liggitt from comment #7)
> Actually, I misread... I have 11.0.14, but it is working fine as far as I
> can tell.

Hi Jordan, I performed "Reset all zones to default level" for "Internet Options -> Security" setting, and compared the "Privacy" setting with 11.0.7 on my machine, they're the same.

But I still can't login, see screen-shots. Any chances to tell me your settings?

Comment 9 Jordan Liggitt 2015-10-12 04:01:43 UTC

All defaults for security and privacy.

Can you capture a fiddler trace of the login flow using the fiddler proxy on the IE VM (http://www.telerik.com/fiddler)?

You'll need to run the installer, start fiddler, set it to capture traffic, and enable the option to decrypt HTTPS traffic (Options > HTTPS > Decrypt). Follow the prompts to create/install a local CA.

Then, with a cleared cache, go through the login flow, then export the fiddler data and attach it.

Comment 10 Yadan Pei 2015-10-12 05:52:46 UTC

Created attachment 1081872 [details]
Login captures with fiddler

Comment 11 Yadan Pei 2015-10-12 06:21:01 UTC

Created attachment 1081890 [details]
Clean login captures

Comment 12 Jordan Liggitt 2015-10-12 15:13:20 UTC

Can you check if the times in your IE VMs are in sync with your OpenShift server? The session cookies getting sent from the server (which are valid for 5 minutes) are not being returned by IE, and I'm wondering if it's a timestamp sync issue.

Comment 13 Yadan Pei 2015-10-13 02:52:47 UTC

times in my failure IE VM are the same with my local machine, take an example

Time in failure IE VM: 10:33 am, 10/13/2015
Time on local machine: 10:33 am, 10/13/2015
Corresponding time in Openshift Server: Tue Oct 13 02:33:24 UTC 2015

I have IE installed on two different VMs, these two VMs keeps the same time, but one could login successful while the other not.

Comment 14 Yadan Pei 2015-10-13 03:13:42 UTC

Created attachment 1082223 [details]
Successful login capture

Comment 15 Jordan Liggitt 2015-10-13 15:14:19 UTC

Can you check the timezones in the IE vms match each other? I still wonder if the issue is time related

Comment 16 Yadan Pei 2015-10-14 01:49:41 UTC

Good news, found the root cause, here are steps
1)Change the timezones in two IE VMs to "UTC +08:00"，keep the same with my local machine.
In this step, I found that time in failure IE VMs are different with the correct time.
2) So I manually adjusted the time to correct time

After these steps, could login successfully.

Any reason for this time syncing problem?

Comment 17 Jordan Liggitt 2015-10-14 19:26:34 UTC

The session cookie required for login is set to expire after 5 minutes. If the browser's OS is more than 5 minutes ahead of the server, it will expire the cookie immediately and login will fail.

May need to set the cookie for a longer expiration, and an internal timestamp for the short expiration and check session validity ourselves.

Comment 18 Jordan Liggitt 2015-10-16 16:01:21 UTC

Updated title to reflect cause.

Comment 19 Jordan Liggitt 2017-09-08 14:08:49 UTC

Fixed in https://github.com/openshift/origin/pull/13180

Comment 20 Yadan Pei 2017-09-13 08:11:55 UTC

Checked on v3.7.0-0.125.0

The issue on IE is fixed, move to VERIFIED

Comment 24 errata-xmlrpc 2017-11-28 21:51:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.