Hi Xavier, # Load session data into object if ($data) { + if ( $self->kind ) { + unless ( $data->{_session_kind} eq $self->kind ) { + $self->error("Session kind mistmatch"); + return undef; + } + }
Doesn't that break CDA in 1.9.7-3+deb9u1? At least I'm no longer able to access a protected application under domains other than the portal. Error output shows occurrences of “Session kind mistmatch” instead, and further debugging suggests that $data->{_session_kind} is "CDA" while $self->kind is "SSO" in the execution flow that yields access denial. -- Guilhem.
signature.asc
Description: PGP signature