Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3248

Magnolia should invalidate any existing session when a user is logging in

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Critical Critical
    • 4.3.9, 4.4.3, 4.5
    • 4.3.2
    • core, security
    • None

      Two issues in one:

      • when logging out, the session is invalidated, but somehow a session gets recreated with the same ID as previously (but session.isNew() is true) for the anonymous user (while there is no session for anonymous users if no session existed previously)
      • when logging in, the existing session is not invalidated, and likewise, the same session ID is kept.

      This behavior is seen as a threat by security inspecting systems. At the very least, we should indeed invalidate an existing session when logging in.

        Acceptance criteria

              ochytil Ondrej Chytil
              gjoseph Magnolia International
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Task DoD