"Stay signed in" is broken after upgrading to 8.7.5

[hoomanv]

Hi,

We have recently upgraded from 8.6 to 8.7.5. The upgrade process was smooth although I had to use 8.6 installer first to install proxy and memcached components before being able to upgrade to 8.7.
Ever since the "Stay signed in" functionality is broken in the web client. HTTP cookies are lost after browser restart.

COS is configured like this:
Authtoken timeout: 30 days
Session idle timeout: 1 day

Using Chrome's developer tools I found the following sequence is happening once a user signs in:

1- A POST request is sent to the server

Code: Select all

POST / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Content-Length: 84
Cache-Control: max-age=0
Origin: https://mail.mycompany.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true

loginOp=login&username=username&password=password&zrememberme=1&client=preferred

2- Server responds and sets the ZM_AUTH_TOKEN cookie with correct expiration date

Code: Select all

HTTP/1.1 302 Found
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Expires=Mon, 24-Apr-2017 14:26:56 GMT;Secure;HttpOnly
Location: https://mail.mycompany.com/
Content-Length: 0

3- Another request is sent to the server

Code: Select all

GET / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true; ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX

4- Server responds, sets the JSESSIONID cookie and resets the ZM_AUTH_TOKEN cookie with the same value but without an expiration date

Code: Select all

HTTP/1.1 200 OK
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Tue, 24 Jan 2000 17:46:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Secure;HttpOnly
Set-Cookie: JSESSIONID=YYYYYYYYYYYYYYYYYYYY;Path=/;Secure;HttpOnly
X-UA-Compatible: IE=edge
Vary: Accept-Encoding, User-Agent
Content-Encoding: gzip
Transfer-Encoding: chunked

The ZM_AUTH_TOKEN expiration parameter was gone on the second response, thus the cookie will be held until the browser instance is running.
Another thing is that the JSESSIONID cookie set on the second response does not have an expiration parameter either, despite the fact that we have set the session idle timeout to 1 day in COS.
Is this a bug or am I missing a configuration?

[hoomanv]

Has anyone encountered the same problem with 8.7.5?

[manuel]

We've got the same, kind of annoying problem since 8.7.0.
There are some bugreports for this issue: #106840 and #107346.
I didn't find a solution yet...

[hoomanv]

We've got the same, kind of annoying problem since 8.7.0.
There are some bugreports for this issue: #106840 and #107346.
I didn't find a solution yet...

Thank you manuel, I upvoted those bug reports.

[saket.patel]

This has been fixed as part of https://wiki.zimbra.com/wiki/Zimbra_Releases/8.7.10

Check https://bugzilla.zimbra.com/show_bug.cgi?id=107984