-
Bug
-
Resolution: Fixed
-
Medium
-
2.6.2, 2.7.3
-
None
When the user logs out the HttpSession isn't invalidated.
The important details of the logged in user and other information is correctly cleared but other properties such as user preferences are not.
The impact is things like the label's section and location section's openness state isn't correctly loaded from the database (its read from the session which contains the value of the previously logged in user).
- causes
-
-
- Closed
-
- is caused by
-
SER-121 Add Interceptor to Invalidate HttpSession
-
- Closed
-
[CONFSERVER-11324] Session isn't invalidated on logout
We'll have a look at fixing this on 2.9.2 as it should be fairly simple.
Christoph Lenggenhager
added a comment - Matthew, thank you for your efforts.
The thing is that invalidation of the session triggers the logout out of our SSO environment.
So without invalidation, a logout in confluence is not really a logout out of our system, which is a bad thing.
The issue is not that pressing anymore, because I managed to implement a plugin that listens for LogoutEvents and invalidates the session. This seems to work.
Christoph Lenggenhager
added a comment - Matthew, thank you for your efforts.
The thing is that invalidation of the session triggers the logout out of our SSO environment.
So without invalidation, a logout in confluence is not really a logout out of our system, which is a bad thing.
The issue is not that pressing anymore, because I managed to implement a plugin that listens for LogoutEvents and invalidates the session. This seems to work. We've just ordered a commercial license for confluence and session invalidation upon logout is crucial for the integration of confluence into our production infrastructure.
Christoph, can you elaborate on the impact a bit more? In light of your comment I have increased the priority and Internal Value.
Christoph Lenggenhager
added a comment - Hi,
Is there anything I can do (except for voting) that this bug gets a higher priority and is resolved sometimes soon?
We've just ordered a commercial license for confluence and session invalidation upon logout is crucial for the integration of confluence into our production infrastructure.
Thanks,
christoph
Christoph Lenggenhager
added a comment - Hi,
Is there anything I can do (except for voting) that this bug gets a higher priority and is resolved sometimes soon?
We've just ordered a commercial license for confluence and session invalidation upon logout is crucial for the integration of confluence into our production infrastructure.
Thanks,
christoph Also the user history is stored in the session and therefore exposes the names of recently visited pages to other users if the same browser is used.
Obviously this only happens if you use a single browser and log in and out as a different user.
Detailed description:
- User logs in
- velocity file requires a property (eg. location section showing)
- confluence checks session and doesn't find it
- confluence loads preferences from user accessor (which will go to db or external user management)
- confluence returns the value to velocity
- user logs out
- user credentials are dropped
- session is marked as "logged out"
- user preferences are not dropped from session
- new user logs in
- velocity file requires a property (eg. location section showing)
- confluence checks session and finds the old value
Added 2.9.2 as fix version again, because this is a serious bug and the fix is pretty simple.