[MAGNOLIA-3248] Magnolia should invalidate any existing session when a user is logging in Created: 13/Jul/10  Updated: 13/Dec/11  Resolved: 13/Apr/11

Status: Closed
Project: Magnolia
Component/s: core, security
Affects Version/s: 4.3.2
Fix Version/s: 4.3.9, 4.4.3, 4.5

Type: Improvement Priority: Critical
Reporter: Magnolia International Assignee: Ondrej Chytil
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicate
is duplicated by MAGNOLIA-3556 Session Identifier Not Updated Closed
relation
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Two issues in one:

  • when logging out, the session is invalidated, but somehow a session gets recreated with the same ID as previously (but session.isNew() is true) for the anonymous user (while there is no session for anonymous users if no session existed previously)
  • when logging in, the existing session is not invalidated, and likewise, the same session ID is kept.

This behavior is seen as a threat by security inspecting systems. At the very least, we should indeed invalidate an existing session when logging in.



 Comments   
Comment by Magnolia International [ 13/Jul/10 ]

We could additionally drop cookies when logging in/out, but I'm unsure if/how this would affect cookie-less users.
Tomcat provides valves that actually take care of this problem: http://tomcat.apache.org/tomcat-5.5-doc/config/valve.html - but these are only useful when using tomcat's own auth system, and use tomcat-specific code to achieve the id change.

Comment by Magnolia International [ 13/Jul/10 ]

http://en.wikipedia.org/wiki/Session_fixation

Comment by Tobias Mattsson [ 11/Apr/11 ]

Closed post review.

Comment by Magnolia International [ 11/Apr/11 ]

Can we please get some information as to how the first issue of the two described above is fixed ?

Comment by Ondrej Chytil [ 11/Apr/11 ]

If I remember correctly behaviour was this:

  • user loged out with session which was invalidated
  • session for anonymous was created with different session ID
  • this session was used for new login
    I was not able to reproduce the first issue. Anonymous user session was always created with different ID.
Comment by Magnolia International [ 11/Apr/11 ]

Ondřej: ok, I wasn't able to reproduce the case where the same session ID was kept.

However, I still have a gripe about the fact that a session is created for anonymous user (but only after they've logged in and out). Although that's probably worth an issue of its own.

(might have been introduced with MAGNOLIA-1825, MAGNOLIA-1829, MAGNOLIA-1614)

Comment by Philipp Bärfuss [ 12/Apr/11 ]

Reopened due to:

I start Magnolia up, then:
I am anon: no session: ok
I log in: a session is created - of course ok
I log out and thus am again "anonymous" - another session is created: not so ok. I suspect this comes from info.magnolia.context.WebContextImpl#logout - where we do login(anonymous)

We have to know why the session is re-created and ideally avoid it

Generated at Mon Feb 12 03:44:38 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.