Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-3248

Magnolia should invalidate any existing session when a user is logging in

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Critical
    • 4.3.9, 4.4.3, 4.5
    • 4.3.2
    • core, security
    • None

    Description

      Two issues in one:

      • when logging out, the session is invalidated, but somehow a session gets recreated with the same ID as previously (but session.isNew() is true) for the anonymous user (while there is no session for anonymous users if no session existed previously)
      • when logging in, the existing session is not invalidated, and likewise, the same session ID is kept.

      This behavior is seen as a threat by security inspecting systems. At the very least, we should indeed invalidate an existing session when logging in.

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            Activity

              People

                ochytil Ondrej Chytil
                gjoseph Magnolia International
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Task DoD