Closing a browser ends the user session. When the user re-opens the browser and accesses Crucible, there is no login prompt and Crucible treats it like an authenticated user. Any page loads after the initial will result in the user being directed to the login page.
Steps to Reproduce
- Have Crucible integrated with Crowd SSO
- Log into Crucible with an user from Crowd
- Close the web browser
- Re-open the web browser
- Checking the cookies, the crowd token is gone
- Access Crucible, notice that it returns data as if the user is logged in
- Easier to confirm if anonymous access is disabled
- Reload the page or access a separate Crucible page
- User is redirected back to login page
When the web browser is closed, the Crowd token is cleared, but the not the remember cookie. It seems that this cookie is used for some checks, making Crucible still return data even if not logged in:
- Attached 2 screenshots of what we see before closing the browser and what we see right after opening the browser (before accessing Crucible).
- Note that browser is not configured to re-open previous sessions
- When access Crucible for the first time, the headers look like this:
- Notice the the cookie: remember=crowdadmin:23:62ca5b2cc3ba57dfa76888e33583f601
- Crucible treats this like a logged in user and displays the Crucible page
- When reloading the page, the headers change:
- The remember cookie is gone and user is directed to the login page.