-
Improvement
-
Resolution: Fixed
-
Neutral
-
None
-
None
-
None
Relates to: https://jira.magnolia-cms.com/browse/ADMINCTR-511
When changing the password from one browser while another active session was in progress on a different browser, the new password was successfully updated, and the old session remained active.
Approach
- This ticket will provide a HttpSessionListener in order to track the sessions from an authenticated MgnlUser
- Then, later on we can invalidate all sessions in some cases, e.g changing the password
Documentation notes:
- The new implementation of HttpSessionListener is called: DefaultHttpSessionListener
- It's required to register the listener in web.xml file as below (under the existing "MagnoliaServletContextListener", see this as reference: https://git.magnolia-cms.com/projects/PLATFORM/repos/ce/browse/magnolia-empty-webapp/src/main/webapp/WEB-INF/web.xml?at=refs%2Fheads%2Frelease%2F6.2#25
<listener> <listener-class>info.magnolia.cms.security.DefaultHttpSessionListener</listener-class> </listener>
- As discussed with mgeljic , we agreed that the listener will be setup/enabled by default, but not for existing installs
- So, we should document it how to register/enable the listener in order to have the feature work https://jira.magnolia-cms.com/browse/ADMINCTR-511 (invalidate/logout all sessions when user changed the password), and the customers need to enable by themself if they want
Acceptance criteria
- clones
-
MAGNOLIA-9236 Tracking MgnlUser sessions using HttpSessionListener
- Closed
- relates to
-
MAGNOLIA-9210 Expose the number of concurrent authors for monitoring
- Open
-
MGNLCE-394 Prepare UI test for new sessions invalidation behavior when changing password
- Reopened