Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-9200

Move Http session renewal after login to from LoginFilter to LoginHandler

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Neutral
    • None
    • None
    • None

    Description

      Context

      While working on SSO epic, we found that there is a session renewal (performing session invalidate) after login and before setting new Subject into MgnlContext

      https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/auth/login/LoginFilter.java?at=refs%2Fheads%2Frelease%2F6.2#107-109

      The session renewal after login is a good practice for security concerns.

      However, it impacts the way SSO (Pac4j implementation) using the session to store user profiles under "pac4jUserProfiles" attribute. Because it invalidates the session which having all login information which causing a logout issue - not perform global logout from the IDP.

      In fact, Pac4j already has the same logic for us by default https://www.pac4j.org/docs/callback-endpoint.html#c-renewsession, from the DefaultCallbackLogic which is called by our SsoCallbackServlet

      Proposed solution

      Should let the LoginHandler to invalidate/renew the session, so we have to move the session invalidate into the LoginHandler itself which include our FormLogin and BasicLogin.

      Checklists

        Acceptance criteria

        Attachments

          Activity

            People

              nguyen.phung Nguyen Phung Chi
              nguyen.phung Nguyen Phung Chi
              AdminX
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Work Started:

                Checklists

                  Task DoD