Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
Description
Crowd token reuse is based only on IP address, not user agent. This can mean that two different user agents can interfere with each others sessions on the same machine, or behind the same firewall on different machines. A specific instance of the problem is with the Bamboo eclipse connector, this doesn't check to see if the user is already logged in before sending a username and password. This causes the existing cookie to be invalidated on the server side, which because its the same token as used by a browser on the same host, causes the browser to be logged out. Token reuse, if necessary, should at least take into account the user agent.