Skip to content

Document removal of IP address from default crumb issuer #8618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
timja merged 4 commits into from
Mar 12, 2026
Merged

Document removal of IP address from default crumb issuer #8618

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
101bfdc
Document removal of IP address from default crumb issuer
daniel-beck Dec 11, 2025
0efcb7a
Mention 2.543
daniel-beck Mar 12, 2026
3588638
Mention 2.543
daniel-beck Mar 12, 2026
1faff58
Merge branch 'master' into core-pr-25918
daniel-beck Mar 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions content/doc/book/managing/system-properties.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -994,6 +994,8 @@ properties:
since: 2.176.2 / 2.186
description: |
Escape hatch for link:/security/advisory/2019-07-17/#SECURITY-626[SECURITY-626].
Since Jenkins 2.543, this is the only part of the CSRF crumb that is tied to a user session/machine.
It is strongly recommended to remain `false`.

- name: hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION
tags:
Expand Down Expand Up @@ -1741,11 +1743,13 @@ properties:
tags:
- escape hatch
- feature
- obsolete
def: |
`false`
since: 2.119
description: |
`true` to enable crumb proxy compatibility when running the Setup Wizard for the first time.
This flag is unused since Jenkins 2.543, as the IP address is no longer part of the CSRF crumb.

- name: jenkins.model.Jenkins.disableExceptionOnNullInstance
tags:
Expand Down
8 changes: 3 additions & 5 deletions content/doc/book/security/csrf-protection.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,16 +32,14 @@ The _Default Crumb Issuer_ encodes the following information in the https://en.w

* The user name that the crumb was generated for
* The web session ID that the crumb was generated in
* The IP address of the user that the crumb was generated for
* A https://en.wikipedia.org/wiki/Salt_(cryptography)[salt] unique to this Jenkins instance

All of this information needs to match when a crumb is sent back to Jenkins for that submission to be considered valid.

The only supported option _Enable proxy compatibility_ removes information about the user IP address from the token.
NOTE: Before Jenkins 2.543, the IP address was optionally also included by default.
The option _Enable proxy compatibility_ could be used to remove information about the user IP address from the token.
This can be useful when Jenkins is running behind a reverse proxy and a user's IP address as seen from Jenkins would regularly change.

NOTE: The web session ID was added in Jenkins 2.176.2 and 2.186 to cause crumb to expire.
See link:/security/advisory/2019-07-17/#SECURITY-626[security advisory] and link:/doc/upgrade-guide/2.176/#SECURITY-626[upgrade guide].
Since the web session ID provides stronger protection, this option was removed in Jenkins 2.543.

Plugins may provide other crumb issuers that use other criteria to determine whether a crumb is valid.
The plugin:strict-crumb-issuer[Strict Crumb Issuer] provides an alternative crumb issuer implementation that is more customizable.
Expand Down
Loading