Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-27415

SSOSeraphAuthenticator unnecessarily creates sessions on logout

    XMLWordPrintable

Details

    • 5
    • Severity 3 - Minor
    • Hide
      Atlassian Update – 06 December 2017

      Hi everyone,

      We have recently reviewed this issue and the overall interest in the problem. As the issue hasn't collect votes, watchers, comments, or support cases from many customers during its lifetime, it's very low on our priority list, and will not be fixed in the foreseeable future. That's why we've decided to resolve it as Time Out.

      Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Jira team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details.

      We understand how disappointing this decision may be, but we hope you'll appreciate our transparent approach and communication.
      Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments.
      Thank you,
      Ignat Alexeyenko
      Jira Bugmaster

      Show
      Atlassian Update – 06 December 2017 Hi everyone, We have recently reviewed this issue and the overall interest in the problem. As the issue hasn't collect votes, watchers, comments, or support cases from many customers during its lifetime, it's very low on our priority list, and will not be fixed in the foreseeable future. That's why we've decided to resolve it as Time Out . Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Jira team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details. We understand how disappointing this decision may be, but we hope you'll appreciate our transparent approach and communication. Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments. Thank you, Ignat Alexeyenko Jira Bugmaster

    Description

      com.atlassian.jira.security.login.SSOSeraphAuthenticator.logoutUser() calls request.getSession() to remove an attribute from the session. However, request.getSession() creates a session if none is attached to the request. This results in sessions being created unnecessarily. A better approach would be to use request.getSession(false) and return if there is no session.

      The impact is described in JSTDEV-1485. I'm marking this as minor because there are general workarounds afoot (JRA-27406 to rapidly expire one-request sessions, and CWD-2784 to avoid calling logout on the concrete Authenticator if there is no session). However, it would be worth fixing the root cause.

      Attachments

        Activity

          People

            Unassigned Unassigned
            rfernandes Robin Fernandes (go/robinleave) (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: