[CONFSERVER-13702] Session must not be invalidated on logout

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.10.1, 3.0.1
Affects Version/s: 2.9.2
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

People ran into problems because we started invalidating the session on logout in 2.9.2. They expect certain session attributes like the seraph LOGGED_OUT_KEY to be present.

This means we need to remove all session attributes except some special attributes like the seraph ones. The other option would be to only remove critical attributes like the users history from the session and leave it untouched otherwise. But I would rather go for the first approach, and remove as much data from the session as possible to avoid privacy issue created by future code.

is caused by

CONFSERVER-11324 Session isn't invalidated on logout

Closed

Paul Curren added a comment - 05/Jun/2009 7:16 AM

No review necessary. The original fix which is simply being re-merged was reviewed.

Paul Curren added a comment - 05/Jun/2009 7:16 AM No review necessary. The original fix which is simply being re-merged was reviewed.

Paul Curren added a comment - 28/May/2009 8:24 AM

For clarification on the status of this issue.

It is currently resolved in Confluence 2.10.1 and later version of Confluence 2.10.

It is currently not resolved in Confluence 3.0. It is scheduled to be fixed in Confluence 3.0.1.

Paul Curren added a comment - 28/May/2009 8:24 AM For clarification on the status of this issue. It is currently resolved in Confluence 2.10.1 and later version of Confluence 2.10. It is currently not resolved in Confluence 3.0. It is scheduled to be fixed in Confluence 3.0.1.

Paul Curren added a comment - 28/May/2009 2:32 AM

This fix was accidentally removed from the Confluence development trunk part-way through the 3.0 release cycle. It will be re-instated in Confluence 3.0.1.

Paul Curren added a comment - 28/May/2009 2:32 AM This fix was accidentally removed from the Confluence development trunk part-way through the 3.0 release cycle. It will be re-instated in Confluence 3.0.1.

Andrew Lynch (Inactive) added a comment - 28/May/2009 12:42 AM

Hi Christoph,

This is possible, but it might cause problems with other plugins that may be expecting the non seraph keys to still be present. I'll try to add in the property com.atlassian.logout.invalidatesession for 3.0, which when true will invalidate the Session after wiping the keys and triggering the firing of the event, which should make your plugin unnecessary.

Regards,
Andrew lynch

Andrew Lynch (Inactive) added a comment - 28/May/2009 12:42 AM Hi Christoph, This is possible, but it might cause problems with other plugins that may be expecting the non seraph keys to still be present. I'll try to add in the property com.atlassian.logout.invalidatesession for 3.0, which when true will invalidate the Session after wiping the keys and triggering the firing of the event, which should make your plugin unnecessary. Regards, Andrew lynch

Christoph Lenggenhager added a comment - 26/May/2009 2:24 PM

I have a question to the current implementation.
I was a supporter of the bug that caused this issue, i.e. I wanted sessions to be invalidated upon logout.
As this was not possible at the time when I started to integrate confluence in our environment, I came up with a plugin that listens for logout events and invalidates the session upon such an event.
I was pleased to hear that invalidation should become standard and a bit disappointed (i.e. I thought that I would have to use my plugin again) as it didn't.

Now, I am upgrading from 2.10 to 2.10.3 and have to find out that even my workaround is not possible any longer, because the logout event is sent before all non-seraph session keys are removed, so a session invalidation in the event listener results in a exception:

java.lang.IllegalStateException: getAttributeNames: Session already invalidated

Therefore, I wonder whether it might be possible to either send the logout event after the removal of the attributes or to handle the case where the session got invalidated before, i.e. in an EventListener or - even better - in the authenticator used.

Thank you for considering my input and no bad feelings on my side, I like your work!

Kind regards,
Christoph

Christoph Lenggenhager added a comment - 26/May/2009 2:24 PM I have a question to the current implementation. I was a supporter of the bug that caused this issue, i.e. I wanted sessions to be invalidated upon logout. As this was not possible at the time when I started to integrate confluence in our environment, I came up with a plugin that listens for logout events and invalidates the session upon such an event. I was pleased to hear that invalidation should become standard and a bit disappointed (i.e. I thought that I would have to use my plugin again) as it didn't. Now, I am upgrading from 2.10 to 2.10.3 and have to find out that even my workaround is not possible any longer, because the logout event is sent before all non-seraph session keys are removed, so a session invalidation in the event listener results in a exception: java.lang.IllegalStateException: getAttributeNames: Session already invalidated Therefore, I wonder whether it might be possible to either send the logout event after the removal of the attributes or to handle the case where the session got invalidated before, i.e. in an EventListener or - even better - in the authenticator used. Thank you for considering my input and no bad feelings on my side, I like your work! Kind regards, Christoph

CharlesA added a comment - 23/Dec/2008 5:22 AM

I just changed LogoutAction to remove all session keys that don't start with "seraph". Given session attributes should be the only place we are storing session-related state, I can't really see how this is any less secure than invalidating the session.

Checked into 2.10-stable and trunk.

CharlesA added a comment - 23/Dec/2008 5:22 AM I just changed LogoutAction to remove all session keys that don't start with "seraph". Given session attributes should be the only place we are storing session-related state, I can't really see how this is any less secure than invalidating the session. Checked into 2.10-stable and trunk.

Andrew Lynch (Inactive) added a comment - 21/Nov/2008 4:47 AM

We didn't have time to fix this properly for 2.10, so this issue is left open.
By specifying com.atlassian.logout.preservesession=true as a system property, the session will not be invalidated from 2.10 onwards.

Andrew Lynch (Inactive) added a comment - 21/Nov/2008 4:47 AM We didn't have time to fix this properly for 2.10, so this issue is left open. By specifying com.atlassian.logout.preservesession=true as a system property, the session will not be invalidated from 2.10 onwards.

Assignee:: Andrew Lynch (Inactive)

Reporter:: Chris Kiehl

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 13/Nov/2008 3:49 AM

Updated:: 11/Oct/2018 9:01 AM

Resolved:: 18/Jun/2009 7:12 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Paul Curren added a comment - 05/Jun/2009 7:16 AM

Expand comment: Paul Curren added a comment - 05/Jun/2009 7:16 AM

Collapse comment: Paul Curren added a comment - 28/May/2009 8:24 AM

Expand comment: Paul Curren added a comment - 28/May/2009 8:24 AM

Collapse comment: Paul Curren added a comment - 28/May/2009 2:32 AM

Expand comment: Paul Curren added a comment - 28/May/2009 2:32 AM

Collapse comment: Andrew Lynch (Inactive) added a comment - 28/May/2009 12:42 AM

Expand comment: Andrew Lynch (Inactive) added a comment - 28/May/2009 12:42 AM

Collapse comment: Christoph Lenggenhager added a comment - 26/May/2009 2:24 PM

Expand comment: Christoph Lenggenhager added a comment - 26/May/2009 2:24 PM

Collapse comment: CharlesA added a comment - 23/Dec/2008 5:22 AM

Expand comment: CharlesA added a comment - 23/Dec/2008 5:22 AM

Collapse comment: Andrew Lynch (Inactive) added a comment - 21/Nov/2008 4:47 AM

Expand comment: Andrew Lynch (Inactive) added a comment - 21/Nov/2008 4:47 AM

People

Dates