weizhouapache commented on issue #4550: URL: https://github.com/apache/cloudstack/issues/4550#issuecomment-747976534
@davidjumani @rhtyd @andrijapanicsb @PaulAngus thanks for your opinion and follow-ups. here is a update: I tested novnc console with my colleague on a openstack platform, we observed (1) it accepts multiple sessions. all sessions are active (cloudstack: only 1 session: new or old #4531) (2) the url of vm console (eg http://<ip>:6080/vnc_lite.html?path=%3Ftoken%<token uuid>) can be opened on other servers. This is same as cloudstack #4550 (3) the token is saved in database for verification (https://github.com/openstack/nova/commit/0c5ff5057edcf1f9ab55a559804a5c0c6a8158b2), in cloudstack we calculate the ticket in past 3 minutes and compare with the ticket in url (https://github.com/apache/cloudstack/blob/master/server/src/main/java/com/cloud/consoleproxy/AgentHookBase.java#L97-L117) (4) the novnc session seems to have no timeout , it is still active even if no activity in 3 hours. (cloudstack: 3 minutes). I think our novnc solution is better :-D Both have the same issue that url/token of vm console can be reused. I agree with Rohit and David that it is not a bug with novnc console. It is hard to say if it is a security issue. There are room for improvement anyway. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
