• Type: Bug
• Resolution: Fixed
• Priority: Medium
• Fix Version/s: 2.0
• Affects Version/s: 1.6
• Component/s: Authentication / Security, SSO
• Labels:

  None

[CWD-1372] Crowd creates new tokens for applications and users even if valid ones already exist

Monique Khairuliana (Inactive) made changes - 15/Aug/2019 7:05 AM

Workflow	Original: Simplified Crowd Development Workflow v2 - restricted [ 1509337 ]	New: JAC Bug Workflow v3 [ 3364513 ]
Status	Original: Resolved [ 5 ]	New: Closed [ 6 ]

Owen made changes - 07/Jul/2016 6:18 AM

Workflow

Original: Simplified Crowd Development Workflow v2 [ 1391159 ]

New: Simplified Crowd Development Workflow v2 - restricted [ 1509337 ]

Owen made changes - 12/May/2016 2:51 AM

Workflow

Original: Crowd Development Workflow v2 [ 272991 ]

New: Simplified Crowd Development Workflow v2 [ 1391159 ]

jawong.adm made changes - 15/Dec/2010 10:49 PM

Workflow

Original: JIRA Bug Workflow v2 [ 174077 ]

New: Crowd Development Workflow v2 [ 272991 ]

Justin Koke made changes - 12/May/2009 1:31 AM

Workflow

Original: jira [ 149800 ]

New: JIRA Bug Workflow v2 [ 174077 ]

Justin Koke made changes - 11/May/2009 6:20 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

shihab made changes - 12/Feb/2009 6:02 AM

Component/s		New: Authentication/Security [ 12726 ]
Component/s		New: SSO [ 12722 ]
Fix Version/s		New: 2.0 [ 12269 ]
Fix Version/s	Original: 1.6.2 [ 14411 ]
Environment	Original: Crowd integrated with Apache

Collapse comment: shihab added a comment - 12/Feb/2009 6:00 AM

shihab added a comment - 12/Feb/2009 6:00 AM

A new token gets generated on each authenticate call. If your application does not have SSO (ie. not calling isValidToken) then it is likely that multiple tokens will get generated.

This bug was introduced in CWD-1040 when randomness was added in to the token. As each token is random, it is never matched to an existing token on an authenticate call.

The fix will involve storing both an identifier_hash and randomized_hash in the Token table such that:

• the indentifier_hash uniquely identifies a user's access (username, directory ID, validation factors such as IP, user-agent, XFF). This can then be used to determine whether we create a new token upon receiving the "authenticate" call. This will still maintain security as the username and password is required to process an "authenticate" call.
• the randomized_hash contains the uniqueness of the identifier_hash and the security of a very large random number. This is used to maintain the session-based SSO cookie and prevents the session fixation attack described in CWD-1040.

Expand comment: shihab added a comment - 12/Feb/2009 6:00 AM

shihab added a comment - 12/Feb/2009 6:00 AM A new token gets generated on each authenticate call. If your application does not have SSO (ie. not calling isValidToken) then it is likely that multiple tokens will get generated. This bug was introduced in CWD-1040 when randomness was added in to the token. As each token is random, it is never matched to an existing token on an authenticate call. The fix will involve storing both an identifier_hash and randomized_hash in the Token table such that: the indentifier_hash uniquely identifies a user's access (username, directory ID, validation factors such as IP, user-agent, XFF). This can then be used to determine whether we create a new token upon receiving the "authenticate" call. This will still maintain security as the username and password is required to process an "authenticate" call. the randomized_hash contains the uniqueness of the identifier_hash and the security of a very large random number. This is used to maintain the session-based SSO cookie and prevents the session fixation attack described in CWD-1040 .

David O'Flynn [Atlassian] made changes - 09/Feb/2009 3:54 AM

Fix Version/s		New: 1.6.2 [ 14411 ]
Fix Version/s	Original: 1.6.1 [ 14395 ]

David O'Flynn [Atlassian] made changes - 14/Jan/2009 12:07 AM

Fix Version/s

New: 1.6.1 [ 14395 ]

Load more older events