Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 1.0.3
Affects Version/s: 0.4.4
Component/s: Core features
Labels:
None
Environment:

Hide

Crowd: 0.4.4 Standalone

JRE:
java version "1.6.0"
Java(TM) SE Runtime Environment (build 1.6.0-b105)
Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing)

OS: RHES 4 update 4
Linux source-systemsx 2.6.9-42.0.8.EL #1 Tue Jan 23 12:37:31 EST 2007 i686 i686 i386 GNU/Linux

Show
Crowd: 0.4.4 Standalone JRE: java version "1.6.0" Java(TM) SE Runtime Environment (build 1.6.0-b105) Java HotSpot(TM) Client VM (build 1.6.0-b105, mixed mode, sharing) OS: RHES 4 update 4 Linux source-systemsx 2.6.9-42.0.8.EL #1 Tue Jan 23 12:37:31 EST 2007 i686 i686 i386 GNU/Linux

Bug Fix Policy:
View Atlassian Server bug fix policy

Description

When a valid (but unauthorized) principal (user) of Crowd tries to login to the Administration Console after an (authorized) administrator has been logged in and then logged out on the same computer, this unauthorized principal will be granted access to the Administration Console during some time window (approx. 5 minutes).

Clearing all cookies in the browser when the authorized admin has logged out doesn't help to avoid the problem. Expiring the session in the Administration Console doesn't help either - the login will be successful again when performed within the time window.

Ironically if this unauthorized principal (when being logged in) surfs to Applications - Crowd - Config Test and provides his credentials there, he is (correctly) rejected ("Invalid verification").

Attachments

Issue Links

is related to

CWD-216 Crowd session token should be unique for each user, directory, machine

Closed

Activity

People

Assignee:: shihab

Reporter:: Bernd Rinn

Votes:: 1 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 17/Feb/2007 8:18 PM

Updated:: 09/Sep/2007 11:46 PM

Resolved:: 09/Sep/2007 11:45 PM