Can’t reset the admin password after the first login if a web context is configured

Template for a good bug report, formatted with Markdown:

  • versions used: 8.9 LTS and 9.1.x
  • error observed:
Request URL: http://localhost:9000/sonarqube/api/users/change_password
Request Method: POST
Status Code: 401 
Remote Address: [::1]:9100
Referrer Policy: strict-origin-when-cross-origin
  • steps to reproduce
  1. run a new docker container with sonarqube image, and specify a context. For example:
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -e SONAR_WEB_CONTEXT=/sonarqube -p 9000:9000 sonarqube:8.9.3-community
  1. head to the browser and login with default credentials (admin/admin)
  2. first time, you will be redirected to the reset password page.
  3. type the info and hit submit.
  4. you are redirected to the login page again. and the password doesn’t change.

I looked to the network tab at my Browser, seems the API call: /api/users/change_password returns 401.
I’m not using a front-end web server.

In Can't reset the admin password after the first login a similar issue is reported, but it’s not the same: there the user is not using a web context, and he was using an Nginx which I’m not using

Hi Enrique,

Thanks for sharing this issue and providing the steps to reproduce it.

I could reproduce, and after investigating, it seems that the CSRF validation fails when there is a specific web context.
I will continue my investigations to see why the CSRF validation fails and hopefully correct it for version 9.6.

I have created a ticket for this here.

1 Like

Clearing the cookies in the web browser worked on my side.
I had two cookies for the same domain because I first started the application without web context. So I had an XSRF-TOKEN cookie with path “/” and another with path “/sonarqube”.
Removing the cookies for path “/” solves the issue.
Also, cookies are automatically refreshed after a few days, so it will suddenly be working.

I know this topic is quite old but I’d like to confirm that this was the same issue for you:
Do you by any chance remember if you first started without web context?
Do you still reproduce this bug?

Thanks