DefaultRememberMeService rejects sessions from local reverse proxy

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Bitbucket Server can be configured to remember user sessions and not require re-authentication if received from the same IP address. If there is a reverse proxy involved then the address will need to match IP of client plus the proxy. This will work as long as the client IP and the proxy IP remains constant. It is possible that the proxy may forward using different IP due to hostname resolution. In the situation where the proxy IP changes the session will be rejected as expected.

Diagnosis

The below log message can be found in $BITBUCKET_HOME/log/atlassian-bitbucket.log

1 2021-04-05 22:32:24,357 INFO http-nio-7990-exec-385 192.168.10.32,0:0:0:0:0:0:0:1 "GET /projects/PROJ1/repos/REPO/browse HTTP/1.0" c.a.s.i.a.DefaultRememberMeService Remember-me token detected for series '8fae4af1c41335e0bb51c03bebb24a0b3ce7e6d1' for user 'username' (used from '192.168.10.32,127.0.0.1'). Current request is from a different address ('192.168.10.32,0:0:0:0:0:0:0:1')! As a safety precaution, all (3) tokens from that series have been canceled.

Note the client IP is the same but the proxy IP forwarded is either 127.0.0.1 or 0:0:0:0:0:0:0:1.

Cause

Both the IPv4 address 127.0.0.1 and IPv6 address 0:0:0:0:0:0:0:1 refer to localhost so we would like Bitbucket to not reject the session. The reverse proxy should be only using the one address for localhost.

In this instance the reverse proxy, nginx, is installed locally and is configured to redirect traffic to port 7990.

1 proxy_pass http://localhost:7990;

The /etc/host contains multiple definitions for localhost so it is reasonable that localhost could be either address.

1 2 127.0.0.1 localhost ::1 localhost

Solution

The easiest fix is to ensure that the local reverse proxy forwards using the same IP address. Example:

1 proxy_pass http://127.0.0.1:7990;
Updated on April 2, 2025
Platform
Data Center only
Product
Bitbucket Data Center
On this pageSummaryDiagnosisCauseSolution

Still need help?

The Atlassian Community is here for you.
Ask the Community