[jira] [Commented] (CLOUDSTACK-8622) Reinstate working sessions in browser

Fri, 10 Jul 2015 04:56:32 -0700 

    [ 
https://issues.apache.org/jira/browse/CLOUDSTACK-8622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14622181#comment-14622181
 ] 

ASF subversion and git services commented on CLOUDSTACK-8622:
-------------------------------------------------------------

Commit 42940a8828424a53969af0e6117052956325ff76 in cloudstack's branch 
refs/heads/master from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=42940a8 ]

CLOUDSTACK-8622: Reinstate working sessions in browser

- Login is based on sessionkey HttpOnly Cookie
- ApiServlet does login verification using sessionKey from both the request 
cookies
  and the API parameters. In both cases, if either or both are passed they 
should
  match the sessionKey stored in the current session of the HttpRequest
- UI: it no longer needs to read or set sessionkey cookie
- UI: it no longer needs to return g_sessionKey value in the API requests, 
though
  to support a sso mechanism g_sessionKey is still passed in the API is not null
- Secure jsessionid cookie is set to be HttpOnly and Secure
- SAML login should also set HttpOnly cookie before redirecting to UI
- SAML: listIdps & getSPMetadata APIs are readonly now, won't log out a logged 
in user

Performed tests (login, saml login if applicable, page refreshes, opening
multiple tabs, logout) with following combinations:
- SAML disabled, normal auth as admin, domain-admin and user
- SAML enabled, normal auth as admin, domain-admin and user; and saml sso as
  admin, domain-admin and user

Signed-off-by: Rohit Yadav <[email protected]>

This closes #574
This closes #308


>  Reinstate working sessions in browser
> --------------------------------------
>
>                 Key: CLOUDSTACK-8622
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8622
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: 4.6.0, 4.5.2
>
>
> CloudStack UI on refresh wipes away login/session, so users need to re-login. 
> A PR was sent in this regard: https://github.com/apache/cloudstack/pull/308
> The aim is to fix this behaviour at the same time make sure we're not 
> compromising security.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to