We have recently upgraded from 8.6 to 8.7.5. The upgrade process was smooth although I had to use 8.6 installer first to install proxy and memcached components before being able to upgrade to 8.7.
Ever since the "Stay signed in" functionality is broken in the web client. HTTP cookies are lost after browser restart.
COS is configured like this:
Authtoken timeout: 30 days
Session idle timeout: 1 day
Using Chrome's developer tools I found the following sequence is happening once a user signs in:
1- A POST request is sent to the server
Code: Select all
POST / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Content-Length: 84
Cache-Control: max-age=0
Origin: https://mail.mycompany.com/
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true
loginOp=login&username=username&password=password&zrememberme=1&client=preferred
Code: Select all
HTTP/1.1 302 Found
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en-US
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Expires=Mon, 24-Apr-2017 14:26:56 GMT;Secure;HttpOnly
Location: https://mail.mycompany.com/
Content-Length: 0
Code: Select all
GET / HTTP/1.1
Host: mail.mycompany.com
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://mail.mycompany.com/
Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8,fa;q=0.6
Cookie: ZM_TEST=true; ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX
Code: Select all
HTTP/1.1 200 OK
Date: Sat, 25 Mar 2017 14:26:56 GMT
X-Frame-Options: SAMEORIGIN
Expires: Tue, 24 Jan 2000 17:46:50 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Type: text/html;charset=utf-8
Content-Language: en
Set-Cookie: ZM_AUTH_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXX;Path=/;Secure;HttpOnly
Set-Cookie: JSESSIONID=YYYYYYYYYYYYYYYYYYYY;Path=/;Secure;HttpOnly
X-UA-Compatible: IE=edge
Vary: Accept-Encoding, User-Agent
Content-Encoding: gzip
Transfer-Encoding: chunked
Another thing is that the JSESSIONID cookie set on the second response does not have an expiration parameter either, despite the fact that we have set the session idle timeout to 1 day in COS.
Is this a bug or am I missing a configuration?