[release-4.21] OCPBUGS-75000: Clean up old session cookies to prevent accumulation by openshift-cherrypick-robot · Pull Request #15985 · openshift/console

openshift-cherrypick-robot · 2026-02-03T14:10:32Z

This is an automated cherry-pick of #15837

/assign Leo6Leo

When users are load-balanced across multiple console pods, each pod creates a session cookie with a unique name based on POD_NAME: openshift-session-token-<POD_NAME>. With a 1-month cookie expiration, users accumulate cookies from different pods without old ones being removed, eventually causing the cookie header to exceed 4096 bytes. This fix cleans up session cookies from other pods when creating a new session, ensuring only one active session cookie exists at a time. Changes: - Modified AddSession() to expire old pod cookies before creating new session - Updated DeleteSession() to use modern cookie expiration pattern - Added test to verify old pod cookies are properly expired Fixes: OCPBUGS-65967 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

When deleting cookies via HTTP response headers, browsers need the deletion cookie to match the Name, Path, and Domain of the original cookie. The previous implementation only set MaxAge=-1 on the existing cookie object without explicitly setting the Path, which could prevent proper cookie deletion. This change creates a new cookie with the minimal required attributes (Name, Path, Value="", MaxAge=-1) using the path from the session store options, ensuring the browser properly recognizes and deletes the cookie. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Extract cookie cleanup logic into expireOldPodCookies helper method and add proper cookie attributes (Secure, HttpOnly, SameSite) required for browsers to properly delete cookies. Expand cleanup to GetSession and UpdateTokens to handle all load balancing scenarios. Add comprehensive test coverage for all cleanup paths. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Leo Li <leoli@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

coderabbitai · 2026-02-03T14:10:40Z

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2026-02-03T14:10:45Z

@openshift-cherrypick-robot: Jira Issue OCPBUGS-65967 has been cloned as Jira Issue OCPBUGS-75000. Will retitle bug to link to clone.
/retitle [release-4.21] OCPBUGS-75000: Clean up old session cookies to prevent accumulation

Details

In response to this:

This is an automated cherry-pick of #15837

/assign Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2026-02-03T14:11:12Z

@openshift-cherrypick-robot: This pull request references Jira Issue OCPBUGS-75000, which is invalid:

release note text must be set and not match the template OR release note type must be set to "Release Note Not Required". For more information you can reference the OpenShift Bug Process.

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

This is an automated cherry-pick of #15837

/assign Leo6Leo

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

TheRealJon · 2026-02-03T14:51:48Z

/label backport-risk-assessed
/lgtm

openshift-ci · 2026-02-03T14:54:32Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: openshift-cherrypick-robot, TheRealJon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~pkg/OWNERS~~ [TheRealJon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

krishagarwal278 · 2026-02-03T19:34:24Z

/retest

openshift-ci · 2026-02-03T19:39:47Z

@openshift-cherrypick-robot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yanpzhan · 2026-02-05T10:28:43Z

Checked on cluster launched against the pr.
Check session token cookies from console, there is only one: openshift-session-token-console-cd4cbfb6d-x9sfp

# oc get pod -n openshift-console | grep console
console-cd4cbfb6d-l72hr      1/1     Running   0          124m
console-cd4cbfb6d-x9sfp      1/1     Running   0          124m

Delete the console pod, check on console again, the old session token cookie is removed, there is only a new one: openshift-session-token-console-cd4cbfb6d-l72hr

# oc delete pod console-cd4cbfb6d-x9sfp -n openshift-console
pod "console-cd4cbfb6d-x9sfp" deleted
[root@MiWiFi-RB03-srv console]# oc get pod -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-cd4cbfb6d-8lkvp      1/1     Running   0          4m53s
console-cd4cbfb6d-l72hr      1/1     Running   0          131m
downloads-69985b9bb7-s5h6z   1/1     Running   0          157m
downloads-69985b9bb7-xst79   1/1     Running   0          157m

Enable a console plugin, after console pod restarts, check on console, also only one new session token cookie exists: openshift-session-token-console-96597d69b-bmvh5

# oc get pod -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-96597d69b-bmvh5      1/1     Running   0          45s
console-96597d69b-xbscn      1/1     Running   0          44s
downloads-69985b9bb7-s5h6z   1/1     Running   0          162m
downloads-69985b9bb7-xst79   1/1     Running   0          162m

/verified by yanpzhan

openshift-ci-robot · 2026-02-05T10:28:57Z

@yanpzhan: This PR has been marked as verified by yanpzhan.

Details

In response to this:

Checked on cluster launched against the pr.
Check session token cookies from console, there is only one: openshift-session-token-console-cd4cbfb6d-x9sfp
# oc get pod -n openshift-console | grep console
console-cd4cbfb6d-l72hr      1/1     Running   0          124m
console-cd4cbfb6d-x9sfp      1/1     Running   0          124m
Delete the console pod, check on console again, the old session token cookie is removed, there is only a new one: openshift-session-token-console-cd4cbfb6d-l72hr
# oc delete pod console-cd4cbfb6d-x9sfp -n openshift-console
pod "console-cd4cbfb6d-x9sfp" deleted
[root@MiWiFi-RB03-srv console]# oc get pod -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-cd4cbfb6d-8lkvp      1/1     Running   0          4m53s
console-cd4cbfb6d-l72hr      1/1     Running   0          131m
downloads-69985b9bb7-s5h6z   1/1     Running   0          157m
downloads-69985b9bb7-xst79   1/1     Running   0          157m
Enable a console plugin, after console pod restarts, check on console, also only one new session token cookie exists: openshift-session-token-console-96597d69b-bmvh5
# oc get pod -n openshift-console
NAME                         READY   STATUS    RESTARTS   AGE
console-96597d69b-bmvh5      1/1     Running   0          45s
console-96597d69b-xbscn      1/1     Running   0          44s
downloads-69985b9bb7-s5h6z   1/1     Running   0          162m
downloads-69985b9bb7-xst79   1/1     Running   0          162m
/verified by yanpzhan

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

TheRealJon and others added 3 commits February 3, 2026 14:10

openshift-cherrypick-robot assigned Leo6Leo Feb 3, 2026

openshift-cherrypick-robot mentioned this pull request Feb 3, 2026

OCPBUGS-65967: Clean up old session cookies to prevent accumulation #15837

Merged

openshift-ci bot changed the title ~~[release-4.21] OCPBUGS-65967: Clean up old session cookies to prevent accumulation~~ [release-4.21] OCPBUGS-75000: Clean up old session cookies to prevent accumulation Feb 3, 2026

openshift-ci bot requested review from TheRealJon and jhadvig February 3, 2026 14:14

openshift-ci bot added the component/backend Related to backend label Feb 3, 2026

openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Feb 3, 2026

openshift-ci bot assigned sanketpathak, XiyunZhao, yanpzhan, yapei and TheRealJon Feb 3, 2026

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 3, 2026

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 3, 2026

openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Feb 5, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-4.21] OCPBUGS-75000: Clean up old session cookies to prevent accumulation#15985

[release-4.21] OCPBUGS-75000: Clean up old session cookies to prevent accumulation#15985
openshift-cherrypick-robot wants to merge 3 commits intoopenshift:release-4.21from
openshift-cherrypick-robot:cherry-pick-15837-to-release-4.21

openshift-cherrypick-robot commented Feb 3, 2026

Uh oh!

coderabbitai bot commented Feb 3, 2026 •

edited

Loading

Review skipped

Uh oh!

openshift-ci-robot commented Feb 3, 2026

Uh oh!

openshift-ci-robot commented Feb 3, 2026

Uh oh!

TheRealJon commented Feb 3, 2026

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

krishagarwal278 commented Feb 3, 2026

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

yanpzhan commented Feb 5, 2026

Uh oh!

openshift-ci-robot commented Feb 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

Conversation

openshift-cherrypick-robot commented Feb 3, 2026

Uh oh!

coderabbitai bot commented Feb 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

openshift-ci-robot commented Feb 3, 2026

Uh oh!

openshift-ci-robot commented Feb 3, 2026

Uh oh!

TheRealJon commented Feb 3, 2026

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

krishagarwal278 commented Feb 3, 2026

Uh oh!

openshift-ci bot commented Feb 3, 2026

Uh oh!

yanpzhan commented Feb 5, 2026

Uh oh!

openshift-ci-robot commented Feb 5, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

9 participants

coderabbitai bot commented Feb 3, 2026 •

edited

Loading