Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 2.0 M1, 1.9.2
-
Component/s: {Unused} Authentication and Rights Management
-
Labels:None
-
Difficulty:Trivial
-
Similar issues:
Description
A configuration problem on one of our servers (the xwiki.org farm) causes the same session ID to be reused for new clients, while the session is not invalidated. This causes a new client to take over an existing session, which means that it now has a valid Principal object in the session.
Since XWIKI-3013, this session Principal is enough to consider the user authenticated. XWIKI-3342 improves the security by checking the cookies also, and invalidating the login if the user stored in the cookies does not match the session user. However, XWIKI-3342 is incomplete, since it fails to clear the session if no authentication cookies were present to start with.