-
Bug
-
Resolution: Fixed
-
Low
-
None
-
5.9.4
-
Severity 2 - Major
-
Context
We have Confluence running with SSO from Crowd. Confluence is behind a corporate reverse proxy (from BlueCoat) which has caching enabled but respects the Cache-control, Expire and Pragma HTTP headers.
Problem
We have discovered following cases of sessions mix up where a user [1] get the Crowd token cookie value from another user [2] and then user [1] can make actions in Confluence as if logged in with user [2] credentials.
Details
After some investigation, we discovered that Confluence, if
- a user with no Confluence session
- with a valid Crowd session
- tries to get some Confluence pages
- will get Confluence responses which have:
- no Cache-Control headers
- have Set-Cookie: crowd.token_key headers
This behavior is dangerous as some Confluence resources can be cached by the upstream reverse proxy with Set-Cookie headers; and they can be served as cached data to other users.
Workaround
On the reverse proxy, disabling caching completely or selectively on responses containing Set-Cookie headers
Real fix
Confluence setting Cache-Control header whenever Confluence sends Set-Cookie headers
Same as BSERV-8483, JRA-60043, BAM-17294
- is related to
-
JRASERVER-60043 Responses with Set-Cookie header cached
- Gathering Impact
- links to