Jenkins 2.192: HTTP Error 403: No valid crumb was included in the request

Question

I recently upgraded to Jenkins 2.192, and my applications started failing with the following error:

HTTP Error 403: No valid crumb was included in the request
Reason: No valid crumb was included in the request

I do not see the problem after downgrading to Jenkins 2.189. I do not see the issue with Jenkins 2.189, 2.190, 2.191. I hit the issue with Jenkins 2.192 (also seen with 2.196)

SOMETHING CHANGED BETWEEN 2.191 AND 2.192 , causing the failure I observed.

Answer 1

You now have to forward the session id (present in the cookie response that generated the crumb) every time you use that crumb. Example code, hopefully illustrates it:

async function duplicateProject() {
  const jenkinsAxios = axios.create({
    baseURL: 'http://jenkins_url',
    auth: {
      username: 'MY-USERNAME',
      password: "MY-PASSWORD"
    }
  });

  const {data: existingJobConfig} = await jenkinsAxios.get('/job/existingJob/config.xml');

  const crumbIssuer = await jenkinsAxios.get('/crumbIssuer/api/json');

  await jenkinsAxios.post(`/createItem?name=MY_NEW_PROJECT`, existingJobConfig, {
      headers: {
        'Content-Type': 'application/xml',
        [crumbIssuer.data.crumbRequestField]: crumbIssuer.data.crumb,
        Cookie: crumbIssuer.headers['set-cookie'][0]              // <--- THIS IS KEY!!!!
      }
    }
  );
}

Answer 2

A simple solution without need of making changes to source code (validated with Jenkins v2.222):

1. Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
2. Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)

A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.