[MAGNOLIA-9200] Move Http session renewal after login to from LoginFilter to LoginHandler Created: 01/Dec/23 Updated: 09/Jan/24 |
|
| Status: | In Progress |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Neutral |
| Reporter: | Nguyen Phung Chi | Assignee: | Nguyen Phung Chi |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | authentication, dx-core-6.3 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Template: |
|
| Acceptance criteria: |
Empty
|
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
| Epic Link: | Align SSO with Magnolia security flow |
| Team: | |
| Work Started: |
| Description |
ContextWhile working on SSO epic, we found that there is a session renewal (performing session invalidate) after login and before setting new Subject into MgnlContext The session renewal after login is a good practice for security concerns. However, it impacts the way SSO (Pac4j implementation) using the session to store user profiles under "pac4jUserProfiles" attribute. Because it invalidates the session which having all login information which causing a logout issue - not perform global logout from the IDP. In fact, Pac4j already has the same logic for us by default https://www.pac4j.org/docs/callback-endpoint.html#c-renewsession, from the DefaultCallbackLogic which is called by our SsoCallbackServlet Proposed solutionShould let the LoginHandler to invalidate/renew the session, so we have to move the session invalidate into the LoginHandler itself which include our FormLogin and BasicLogin. |