Skip to content

[release-4.20] OCPBUGS-78366: Clean up old session cookies to prevent accumulation#16136

Open
openshift-cherrypick-robot wants to merge 3 commits intoopenshift:release-4.20from
openshift-cherrypick-robot:cherry-pick-15985-to-release-4.20
Open

[release-4.20] OCPBUGS-78366: Clean up old session cookies to prevent accumulation#16136
openshift-cherrypick-robot wants to merge 3 commits intoopenshift:release-4.20from
openshift-cherrypick-robot:cherry-pick-15985-to-release-4.20

Conversation

@openshift-cherrypick-robot
Copy link

@openshift-cherrypick-robot openshift-cherrypick-robot commented Mar 12, 2026

This is an automated cherry-pick of #15985

/assign TheRealJon

@openshift-cherrypick-robot openshift-cherrypick-robot mentioned this pull request Mar 12, 2026
Merged
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 12, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f24d75ae-4507-4c1a-b8c4-0a4ed50b6a77

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can approve the review once all CodeRabbit's comments are resolved.

Enable the reviews.request_changes_workflow setting to automatically approve the review once all CodeRabbit's comments are resolved.

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 12, 2026

@openshift-cherrypick-robot: Jira Issue OCPBUGS-75000 has been cloned as Jira Issue OCPBUGS-78366. Will retitle bug to link to clone.
/retitle [release-4.20] OCPBUGS-78366: Clean up old session cookies to prevent accumulation

Details

In response to this:

This is an automated cherry-pick of #15985

/assign TheRealJon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot changed the title [release-4.20] OCPBUGS-75000: Clean up old session cookies to prevent accumulation [release-4.20] OCPBUGS-78366: Clean up old session cookies to prevent accumulation Mar 12, 2026
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Mar 12, 2026
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 12, 2026

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-78366, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.20.z) matches configured target version for branch (4.20.z)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
  • release note text is set and does not match the template
  • dependent bug Jira Issue OCPBUGS-75000 is in the state Verified, which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
  • dependent Jira Issue OCPBUGS-75000 targets the "4.21.0" version, which is one of the valid target versions: 4.21.0, 4.21.z
  • bug has dependents

Requesting review from QA contact:
/cc @yapei

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #15985

/assign TheRealJon

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from TheRealJon, jhadvig and yapei March 12, 2026 14:41
@openshift-ci openshift-ci bot added the component/backend Related to backend label Mar 12, 2026
TheRealJon and others added 3 commits March 13, 2026 13:27
@TheRealJon @claude
OCPBUGS-65967: Clean up old session cookies to prevent accumulation
387f3d1 
When users are load-balanced across multiple console pods, each pod
creates a session cookie with a unique name based on POD_NAME:
openshift-session-token-<POD_NAME>. With a 1-month cookie expiration,
users accumulate cookies from different pods without old ones being
removed, eventually causing the cookie header to exceed 4096 bytes.

This fix cleans up session cookies from other pods when creating a
new session, ensuring only one active session cookie exists at a time.

Changes:
- Modified AddSession() to expire old pod cookies before creating new session
- Updated DeleteSession() to use modern cookie expiration pattern
- Added test to verify old pod cookies are properly expired

Fixes: OCPBUGS-65967

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@TheRealJon @claude
OCPBUGS-65967: Fix session cookie deletion by setting proper attributes
1937bdc 
When deleting cookies via HTTP response headers, browsers need the
deletion cookie to match the Name, Path, and Domain of the original
cookie. The previous implementation only set MaxAge=-1 on the existing
cookie object without explicitly setting the Path, which could prevent
proper cookie deletion.

This change creates a new cookie with the minimal required attributes
(Name, Path, Value="", MaxAge=-1) using the path from the session store
options, ensuring the browser properly recognizes and deletes the cookie.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@TheRealJon @Leo6Leo @claude
OCPBUGS-65967: Refactor session cookie cleanup and expand coverage
662a13b 
Extract cookie cleanup logic into expireOldPodCookies helper method and
add proper cookie attributes (Secure, HttpOnly, SameSite) required for
browsers to properly delete cookies. Expand cleanup to GetSession and
UpdateTokens to handle all load balancing scenarios. Add comprehensive
test coverage for all cleanup paths.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Leo Li <leoli@redhat.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@openshift-cherrypick-robot openshift-cherrypick-robot force-pushed the cherry-pick-15985-to-release-4.20 branch from 573b8c9 to 662a13b Compare March 13, 2026 13:27
@TheRealJon
Copy link
Member

TheRealJon commented Mar 13, 2026

/label backport-risk-assessed
/lgtm

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Mar 13, 2026
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Mar 13, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 13, 2026
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Mar 13, 2026

@openshift-cherrypick-robot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-console 662a13b link true /test e2e-gcp-console

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@yapei
Copy link
Contributor

yapei commented Mar 16, 2026

@yanpzhan will help verify

@yanpzhan
Copy link
Contributor

yanpzhan commented Mar 16, 2026

Checked on cluster launched against the pr.
Check session token cookies from console, once old console pod was removed and new console pod was running, there was new session token cookie(openshift-session-token-console-*) created and old session token cookie was removed.
/verified by yanpzhan

@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Mar 16, 2026

@yanpzhan: An error was encountered searching for bug OCPBUGS-78366 on the Jira server at https://issues.redhat.com. No known errors were detected, please see the full error message for details.

Full error message. request failed. Please analyze the request body for more details. Status code: 403:

Please contact an administrator to resolve this issue, then request a bug refresh with /jira refresh.

Details

In response to this:

Checked on cluster launched against the pr.
Check session token cookies from console, once old console pod was removed and new console pod was running, there was new session token cookie(openshift-session-token-console-*) created and old session token cookie was removed.
/verified by yanpzhan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@Leo6Leo
Copy link
Contributor

Leo6Leo commented Mar 16, 2026

/retest-required

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yapei yapei Awaiting requested review from yapei

@jhadvig jhadvig Awaiting requested review from jhadvig

@TheRealJon TheRealJon Awaiting requested review from TheRealJon

Assignees

@yanpzhan yanpzhan

@sanketpathak sanketpathak

@yapei yapei

@TheRealJon TheRealJon

@XiyunZhao XiyunZhao

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. component/backend Related to backend jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@openshift-cherrypick-robot @openshift-ci-robot @TheRealJon @yapei @yanpzhan @Leo6Leo @sanketpathak @XiyunZhao