[CWD-216] Crowd session token should be unique for each user, directory, machine

Type: Suggestion
Resolution: Fixed
Fix Version/s: 1.0.3
Component/s: None
Labels:
None

Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

The validation factors currently generate tokens based on machine specific attributes, such as remote host, user-agent, etc.

If a user on a machine had multiple identities, then the token generated would be the same (as the machine attributes are the same).

It would be nice if this token was unique based on the current validation factors as well as the username of the principal and the directory which the principal belongs to (uniquely identifying the principal).

is related to

CWD-1040 Crowd session tokens need to be random and unique to avoid Session Hijacking!!!

Closed

relates to

CWD-163 Administration Console allows login of unauthorized users

Closed

Katherine Yabut made changes - 19/Sep/2019 5:51 AM

Workflow	Original: JAC Suggestion Workflow [ 3389236 ]	New: JAC Suggestion Workflow 3 [ 3628482 ]
Status	Original: RESOLVED [ 5 ]	New: Closed [ 6 ]

Monique Khairuliana (Inactive) made changes - 20/Aug/2019 1:06 AM

Workflow	Original: Simplified Crowd Development Workflow v2 [ 1392696 ]	New: JAC Suggestion Workflow [ 3389236 ]
Issue Type	Original: Improvement [ 4 ]	New: Suggestion [ 10000 ]
Status	Original: Closed [ 6 ]	New: Resolved [ 5 ]

Owen made changes - 12/May/2016 2:52 AM

Workflow

Original: Crowd Development Workflow v2 [ 272405 ]

New: Simplified Crowd Development Workflow v2 [ 1392696 ]

jawong.adm made changes - 15/Dec/2010 10:48 PM

Workflow

Original: Feature Request Workflow [ 173616 ]

New: Crowd Development Workflow v2 [ 272405 ]

Justin Koke made changes - 12/May/2009 1:30 AM

Workflow

Original: jira [ 78800 ]

New: Feature Request Workflow [ 173616 ]

J. G. Kelley made changes - 06/May/2008 4:21 PM

Link

New: This issue is related to ~~CWD-1040~~ [ ~~CWD-1040~~ ]

Justen Stepka [Atlassian] made changes - 22/Mar/2007 2:09 AM

Status

Original: Resolved [ 5 ]

New: Closed [ 6 ]

shihab made changes - 22/Mar/2007 2:05 AM

Assignee	Original: Justen Stepka [Atlassian] [ justen.stepka@atlassian.com ]	New: shihab [ shamid@atlassian.com ]
Resolution		New: Fixed [ 1 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

shihab added a comment - 22/Mar/2007 2:05 AM

The fix includes:

token generation to be based on name and directoryID (as well as validation factors)
removal of authentication caching for explicit "login" calls in CrowdAuthenticator for Seraph
removal of Crowd session-token caching in HttpSession in the getToken method in HttpAuthenticator

shihab added a comment - 22/Mar/2007 2:05 AM The fix includes: token generation to be based on name and directoryID (as well as validation factors) removal of authentication caching for explicit "login" calls in CrowdAuthenticator for Seraph removal of Crowd session-token caching in HttpSession in the getToken method in HttpAuthenticator

Justen Stepka [Atlassian] made changes - 21/Mar/2007 4:06 AM

Fix Version/s

New: 1.0.3 [ 12752 ]

Assignee:: shihab

Reporter:: shihab

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Created:: 21/Mar/2007 1:00 AM

Updated:: 19/Sep/2019 5:51 AM

Resolved:: 22/Mar/2007 2:05 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: shihab added a comment - 22/Mar/2007 2:05 AM

Expand comment: shihab added a comment - 22/Mar/2007 2:05 AM

People

Dates