[jira] [Commented] (CLOUDSTACK-8622) Reinstate working sessions in browser

Thu, 09 Jul 2015 14:12:17 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14621270#comment-14621270
 ] 

ASF subversion and git services commented on CLOUDSTACK-8622:
-------------------------------------------------------------

Commit 88f63d516860d348b818d1c9149829f3469cd00a in cloudstack's branch 
refs/heads/CLOUDSTACK-8622 from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=88f63d5 ]

CLOUDSTACK-8622:  Reinstate working sessions in browser

- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request 
cookies
  and the API parameters. In both cases, if either or both are passed they 
should
  match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests, 
though
  to support a sso mechanism it is not removed for that specific case
- UI: on logout, all cookies are removed (though this won't remove httponly 
ones)
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: ListIdps API is made a readonly API that won't destroy an existing 
session

Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
  admin, domain-admin and user


>  Reinstate working sessions in browser
> --------------------------------------
>
>                 Key: CLOUDSTACK-8622
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8622
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: 4.6.0, 4.5.2
>
>
> CloudStack UI on refresh wipes away login/session, so users need to re-login. 
> A PR was sent in this regard: https://github.com/apache/cloudstack/pull/308
> The aim is to fix this behaviour at the same time make sure we're not 
> compromising security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to