Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-160

Session fixation prevention has broken things when basic auth is used in Seraph

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 2.3.4
    • 2.3.1
    • None
    • true

      The new session fixation code we put into Seraph during 2.3.1 has broken JIRA 4.2 when basic auth is used.

      In order to be more secure, when a new session is established, Seraph will tear down the old session, copy a few thing across and create a new session.

      For non "basic auth" login this works because you only "establish" the session when you present os_username/os_password in the request that is when you fill in the login form.

      However for "basic auth" requests, the username and password is presented with EVERY request and hence Seraph will tear down the session and recreate it ON every request.

      We have code in JIRA that tracks "valueUnbound" events from sessions and removes internal state on objects. The Temporary Attachment code is an example.

      In this case the session tear down cause the temporary attachment manager to "clean itself" up even though the manager object lives on into the next session.

      We need to fix Seraph to do something different on basic auth requests and hence not caused the session disruption and other flow on effects from that.

      http://jira.atlassian.com/browse/JRA-23188

          Form Name

            [SER-160] Session fixation prevention has broken things when basic auth is used in Seraph

            vkharisma made changes -
            Link New: This issue causes JRACLOUD-23188 [ JRACLOUD-23188 ]
            ɹǝʞɐq pɐɹq made changes -
            Resolution New: Fixed [ 1 ]
            Status Original: Implemented [ 10025 ] New: Resolved [ 5 ]
            ɹǝʞɐq pɐɹq made changes -
            Fix Version/s New: 2.3.4 [ 15781 ]
            Status Original: Open [ 1 ] New: Implemented [ 10025 ]

            It now only tears down the session of the user name has changed

            ɹǝʞɐq pɐɹq added a comment - It now only tears down the session of the user name has changed
            ɹǝʞɐq pɐɹq made changes -
            Link New: This issue causes JRA-23188 [ JRA-23188 ]
            ɹǝʞɐq pɐɹq created issue -

              Unassigned Unassigned
              bbaker ɹǝʞɐq pɐɹq
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved:
                14 years, 16 weeks, 2 days ago