cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <>
Subject [jira] [Commented] (CLOUDSTACK-8622) Reinstate working sessions in browser
Date Thu, 09 Jul 2015 22:11:05 GMT


ASF subversion and git services commented on CLOUDSTACK-8622:

Commit 69d2fd849bc4281f593a14e1823ca7f0a8bd2f40 in cloudstack's branch refs/heads/CLOUDSTACK-8622
from []
[;h=69d2fd8 ]

CLOUDSTACK-8622:  Reinstate working sessions in browser

- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request cookies
  and the API parameters. In both cases, if either or both are passed they should
  match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests, though
  to support a sso mechanism g_sessionKey is still passed in the API is not null
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: listIdps & getSPMetadata APIs are readonly now, won't log out a logged in user

Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
  admin, domain-admin and user

Signed-off-by: Rohit Yadav <>

>  Reinstate working sessions in browser
> --------------------------------------
>                 Key: CLOUDSTACK-8622
>                 URL:
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: 4.6.0, 4.5.2
> CloudStack UI on refresh wipes away login/session, so users need to re-login. A PR was
sent in this regard:
> The aim is to fix this behaviour at the same time make sure we're not compromising security.

This message was sent by Atlassian JIRA

View raw message