Service Desk customer portal does NOT respect logout.url semantics of Seraph Authenticator

XMLWordPrintable

      Hosted JIRA Service Desk version 3.1.2

      Seraph authenticator docs for logout.url settings states the following:

      <!-- URL for logging out.

      • If relative, Seraph just redirects to this URL, which is responsible for calling Authenticator.logout().
      • If absolute (eg. SSO applications), Seraph calls Authenticator.logout() and redirects to the URL
        -->
        <param-name>logout.url</param-name>
        <param-value>/secure/logout!default.jspa</param-value>

      It works for relative urls. But for absolute urls, it just redirects to the given url without actually logging out the user. Upon inspecting the logout link on Service Desk customer portal I saw that it is simply an anchor tag with href to the link given to logout.url key in seraph-config.xml. No ajax call goes to JIRA. Thus user is never logged out but redirected.

      This is a security issue since a user can leave an active session unattended.

            Assignee:
            pat (Inactive)
            Reporter:
            Juzer Ali
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: