We need to generate the session id after user logs in. Earlier it was the same session id before user logged in and even after user logs in. Which is a security hole.
Thanks... Sent from my mobile device On Jul 22, 2013, at 11:55 PM, Sameera Jayasoma <[email protected]> wrote: > Hi Devs, > > I set up a simple cluster with one AS and one ELB. This ELB is improved to > work with Hazelcast clustering. AS joined the cluster and ELB correctly > dispatched requests to the AS node. Then I started testing the management > console access. When I entered the correct username/password and submit, I > got the login page again. But I should have got the successful login message. > I saw the successfully logged in message in server logs of AS node. > > After analyzing debug log messages of ELB, I noticed an unexpected behaviour > of the AS node. Every time I login into the management console, AS node > creates a new http session. I.e. "Set-Cookie" header is presents in the login > response from AS. I compared with a previous release of AS and this behaviour > was not there. So there has to be a recent change to the authentication > process of the Carbon management console. My guess was correct. In fact > there was a change done by Prabath to regenerate the http session every time > a user logs in or logs out of the management console. I think this change was > introduced to fix a bug in the system. Prabath can please explain why? > > This new behaviour of the authentication process cause the ELB to break. > Session affinity implementation of ELB is responsible for this. Let me > explain. > > SynapseCallbackReceiver checks for a HttpSessionDispatcher instance in the > synapse context object in the response path. LoadBalancingEndpoint is > responsible for setting the HttpSessionDispatcher in the synapse context > object in the request path. HttpSessionDispatcher extracts the new session > cookie( from the Set-Cookie header), if any and creates a corresponding > session object in the ELB side. This session object maintains session ID, > associated member node, session expiry time etc. All the subsequent request > with this session cookie are routed to the same member node. In the current > implementation LoadBalancingEndpoint sets the dispatcher to the synapse > context only if the request is not bound to any session. I.e. request does > not have any session cookie, a new session. LoadBalancingEndpoint does not > sets the dispatcher if the request contains the session cookie. > > With the recent fix in the authentication process, it creates a new session > even thought the login request is bound to an existing http session. Now when > this login response which is in a new http session(with a Set-Cookie header) > reaches ELB, ELB does not create the corresponding session object. Because > the dispatcher is not set in the synapse context. That was because the login > request was bound to an existing session. But the AS node invalidates the > existing session and new created a new one. Therefore logged in session is > lost in the ELB. > > IMO the correct fix wold be to set the dispatcher to all the requests if the > session affinity is enabled in ELB. Let me know your thoughts. I will do the > necessary modifications. > > Thanks, > Sameera. > > -- > Sameera Jayasoma, > Architect, > > WSO2, Inc. (http://wso2.com) > email: [email protected] > blog: http://sameera.adahas.org > twitter: https://twitter.com/sameerajayasoma > flickr: http://www.flickr.com/photos/sameera-jayasoma/collections > > Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
