Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-4715

Basic authentication in the web UI leads to XSRF errors

    XMLWordPrintable

Details

    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Background:
      https://answers.atlassian.com/questions/275306/xsrf-errors-in-repo-creation-using-custom-httpauthenticationhandler reports running into problems while writing a custom HTTP auth plugin for Kerberos / SPNEGO. If the browser cannot participate in the auth negotiation, a Basic auth challenge is sent by the auth_krb_auth apache module.

      When Basic auth credentials are provided, Stash always authenticates the request - even if the user was already authenticated. Because of the session fixation protection, a new session is created for every such request (and the old session is invalidated). Browsers can send multiple requests in parallel, which can lead to session invalidation races. The result is that the session fixation protection code won't always be able to copy the session data to the new session and the xsrf token is lost.

      Instead of re-authenticating every request, authentication should only be attempted if the user is not already authenticated.

      Attachments

        Activity

          People

            mheemskerk Michael Heemskerk (Inactive)
            mheemskerk Michael Heemskerk (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: