IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-160

Session fixation prevention has broken things when basic auth is used in Seraph

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.3.4
    • 2.3.1
    • None
    • true

      The new session fixation code we put into Seraph during 2.3.1 has broken JIRA 4.2 when basic auth is used.

      In order to be more secure, when a new session is established, Seraph will tear down the old session, copy a few thing across and create a new session.

      For non "basic auth" login this works because you only "establish" the session when you present os_username/os_password in the request that is when you fill in the login form.

      However for "basic auth" requests, the username and password is presented with EVERY request and hence Seraph will tear down the session and recreate it ON every request.

      We have code in JIRA that tracks "valueUnbound" events from sessions and removes internal state on objects. The Temporary Attachment code is an example.

      In this case the session tear down cause the temporary attachment manager to "clean itself" up even though the manager object lives on into the next session.

      We need to fix Seraph to do something different on basic auth requests and hence not caused the session disruption and other flow on effects from that.

      http://jira.atlassian.com/browse/JRA-23188

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'atlassian-seraph'
            1. atlassian-seraph
            2. SER-160

            Session fixation prevention has broken things when basic auth is used in Seraph

              • Icon: Bug Bug
              • Resolution: Fixed
              • Icon: Medium Medium
              • 2.3.4
              • 2.3.1
              • None
              • true

                The new session fixation code we put into Seraph during 2.3.1 has broken JIRA 4.2 when basic auth is used.

                In order to be more secure, when a new session is established, Seraph will tear down the old session, copy a few thing across and create a new session.

                For non "basic auth" login this works because you only "establish" the session when you present os_username/os_password in the request that is when you fill in the login form.

                However for "basic auth" requests, the username and password is presented with EVERY request and hence Seraph will tear down the session and recreate it ON every request.

                We have code in JIRA that tracks "valueUnbound" events from sessions and removes internal state on objects. The Temporary Attachment code is an example.

                In this case the session tear down cause the temporary attachment manager to "clean itself" up even though the manager object lives on into the next session.

                We need to fix Seraph to do something different on basic auth requests and hence not caused the session disruption and other flow on effects from that.

                http://jira.atlassian.com/browse/JRA-23188

                        Unassigned Unassigned
                        bbaker ɹǝʞɐq pɐɹq
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        1 Start watching this issue

                          Created:
                          Updated:
                          Resolved:
                          14 years, 15 weeks, 5 days ago

                            Unassigned Unassigned
                            bbaker ɹǝʞɐq pɐɹq
                            Affected customers:
                            0 This affects my team
                            Watchers:
                            1 Start watching this issue

                              Created:
                              Updated:
                              Resolved:
                              14 years, 15 weeks, 5 days ago