-
Bug
-
Resolution: Fixed
-
Medium
-
2.3.1
-
None
-
true
The new session fixation code we put into Seraph during 2.3.1 has broken JIRA 4.2 when basic auth is used.
In order to be more secure, when a new session is established, Seraph will tear down the old session, copy a few thing across and create a new session.
For non "basic auth" login this works because you only "establish" the session when you present os_username/os_password in the request that is when you fill in the login form.
However for "basic auth" requests, the username and password is presented with EVERY request and hence Seraph will tear down the session and recreate it ON every request.
We have code in JIRA that tracks "valueUnbound" events from sessions and removes internal state on objects. The Temporary Attachment code is an example.
In this case the session tear down cause the temporary attachment manager to "clean itself" up even though the manager object lives on into the next session.
We need to fix Seraph to do something different on basic auth requests and hence not caused the session disruption and other flow on effects from that.
- causes
-
-
- Closed
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[SER-160] Session fixation prevention has broken things when basic auth is used in Seraph
| Link | New: This issue causes JRACLOUD-23188 [ JRACLOUD-23188 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Implemented [ 10025 ] | New: Resolved [ 5 ] |
| Fix Version/s | New: 2.3.4 [ 15781 ] | |
| Status | Original: Open [ 1 ] | New: Implemented [ 10025 ] |
It now only tears down the session of the user name has changed