GitHub user bhaisaab opened a pull request:
https://github.com/apache/cloudstack/pull/574
CLOUDSTACK-8622: Reinstate working sessions in browser
- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request
cookies
and the API parameters. In both cases, if either or both are passed they
should
match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests,
though
to support a sso mechanism it is not removed for that specific case
- UI: on logout, all cookies are removed (though this won't remove httponly
ones)
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: ListIdps API is made a readonly API that won't destroy an existing
session
Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
admin, domain-admin and user
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/apache/cloudstack CLOUDSTACK-8622
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/574.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #574
----
commit 88f63d516860d348b818d1c9149829f3469cd00a
Author: Rohit Yadav <[email protected]>
Date: 2015-07-09T20:58:30Z
CLOUDSTACK-8622: Reinstate working sessions in browser
- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request
cookies
and the API parameters. In both cases, if either or both are passed they
should
match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests,
though
to support a sso mechanism it is not removed for that specific case
- UI: on logout, all cookies are removed (though this won't remove httponly
ones)
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: ListIdps API is made a readonly API that won't destroy an existing
session
Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
admin, domain-admin and user
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
