Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-4109

Guest users are sometimes logged in with another user account

    XMLWordPrintable

    Details

    • Difficulty:
      Trivial
    • Similar issues:

      Description

      A configuration problem on one of our servers (the xwiki.org farm) causes the same session ID to be reused for new clients, while the session is not invalidated. This causes a new client to take over an existing session, which means that it now has a valid Principal object in the session.

      Since XWIKI-3013, this session Principal is enough to consider the user authenticated. XWIKI-3342 improves the security by checking the cookies also, and invalidating the login if the user stored in the cookies does not match the session user. However, XWIKI-3342 is incomplete, since it fails to clear the session if no authentication cookies were present to start with.

        Attachments

          Activity

            People

            Assignee:
            sdumitriu Sergiu Dumitriu
            Reporter:
            sdumitriu Sergiu Dumitriu
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: