cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-8622) Reinstate working sessions in browser
Date Thu, 09 Jul 2015 21:12:04 GMT


ASF subversion and git services commented on CLOUDSTACK-8622:

Commit 88f63d516860d348b818d1c9149829f3469cd00a in cloudstack's branch refs/heads/CLOUDSTACK-8622
from []
[;h=88f63d5 ]

CLOUDSTACK-8622:  Reinstate working sessions in browser

- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request cookies
  and the API parameters. In both cases, if either or both are passed they should
  match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests, though
  to support a sso mechanism it is not removed for that specific case
- UI: on logout, all cookies are removed (though this won't remove httponly ones)
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: ListIdps API is made a readonly API that won't destroy an existing session

Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
  admin, domain-admin and user

>  Reinstate working sessions in browser
> --------------------------------------
>                 Key: CLOUDSTACK-8622
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: 4.6.0, 4.5.2
> CloudStack UI on refresh wipes away login/session, so users need to re-login. A PR was
sent in this regard:
> The aim is to fix this behaviour at the same time make sure we're not compromising security.

This message was sent by Atlassian JIRA

View raw message