[MAGNOLIA-9200] Move Http session renewal after login to from LoginFilter to LoginHandler Created: 01/Dec/23  Updated: 09/Jan/24

Status: In Progress
Project: Magnolia
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Nguyen Phung Chi Assignee: Nguyen Phung Chi
Resolution: Unresolved Votes: 0
Labels: authentication, dx-core-6.3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Epic Link: Align SSO with Magnolia security flow
Team: AdminX
Work Started:

 Description   

Context

While working on SSO epic, we found that there is a session renewal (performing session invalidate) after login and before setting new Subject into MgnlContext

https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/auth/login/LoginFilter.java?at=refs%2Fheads%2Frelease%2F6.2#107-109

The session renewal after login is a good practice for security concerns.

However, it impacts the way SSO (Pac4j implementation) using the session to store user profiles under "pac4jUserProfiles" attribute. Because it invalidates the session which having all login information which causing a logout issue - not perform global logout from the IDP.

In fact, Pac4j already has the same logic for us by default https://www.pac4j.org/docs/callback-endpoint.html#c-renewsession, from the DefaultCallbackLogic which is called by our SsoCallbackServlet

Proposed solution

Should let the LoginHandler to invalidate/renew the session, so we have to move the session invalidate into the LoginHandler itself which include our FormLogin and BasicLogin.


Generated at Mon Feb 12 04:39:30 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.