Details
-
Suggestion
-
Resolution: Fixed
-
None
Description
Background:
https://answers.atlassian.com/questions/275306/xsrf-errors-in-repo-creation-using-custom-httpauthenticationhandler reports running into problems while writing a custom HTTP auth plugin for Kerberos / SPNEGO. If the browser cannot participate in the auth negotiation, a Basic auth challenge is sent by the auth_krb_auth apache module.
When Basic auth credentials are provided, Stash always authenticates the request - even if the user was already authenticated. Because of the session fixation protection, a new session is created for every such request (and the old session is invalidated). Browsers can send multiple requests in parallel, which can lead to session invalidation races. The result is that the session fixation protection code won't always be able to copy the session data to the new session and the xsrf token is lost.
Instead of re-authenticating every request, authentication should only be attempted if the user is not already authenticated.