[MAGNOLIA-3248] Magnolia should invalidate any existing session when a user is logging in Created: 13/Jul/10 Updated: 13/Dec/11 Resolved: 13/Apr/11 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | core, security |
| Affects Version/s: | 4.3.2 |
| Fix Version/s: | 4.3.9, 4.4.3, 4.5 |
| Type: | Improvement | Priority: | Critical |
| Reporter: | Magnolia International | Assignee: | Ondrej Chytil |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
Two issues in one:
This behavior is seen as a threat by security inspecting systems. At the very least, we should indeed invalidate an existing session when logging in. |
| Comments |
| Comment by Magnolia International [ 13/Jul/10 ] |
|
We could additionally drop cookies when logging in/out, but I'm unsure if/how this would affect cookie-less users. |
| Comment by Magnolia International [ 13/Jul/10 ] |
| Comment by Tobias Mattsson [ 11/Apr/11 ] |
|
Closed post review. |
| Comment by Magnolia International [ 11/Apr/11 ] |
|
Can we please get some information as to how the first issue of the two described above is fixed ? |
| Comment by Ondrej Chytil [ 11/Apr/11 ] |
|
If I remember correctly behaviour was this:
|
| Comment by Magnolia International [ 11/Apr/11 ] |
|
Ondřej: ok, I wasn't able to reproduce the case where the same session ID was kept. However, I still have a gripe about the fact that a session is created for anonymous user (but only after they've logged in and out). Although that's probably worth an issue of its own. (might have been introduced with |
| Comment by Philipp Bärfuss [ 12/Apr/11 ] |
|
Reopened due to:
We have to know why the session is re-created and ideally avoid it |