[SER-160] Session fixation prevention has broken things when basic auth is used in Seraph - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 2.3.4
Affects Version/s: 2.3.1
Labels:
None

Last commented by user?:
true

The new session fixation code we put into Seraph during 2.3.1 has broken JIRA 4.2 when basic auth is used.

In order to be more secure, when a new session is established, Seraph will tear down the old session, copy a few thing across and create a new session.

For non "basic auth" login this works because you only "establish" the session when you present os_username/os_password in the request that is when you fill in the login form.

However for "basic auth" requests, the username and password is presented with EVERY request and hence Seraph will tear down the session and recreate it ON every request.

We have code in JIRA that tracks "valueUnbound" events from sessions and removes internal state on objects. The Temporary Attachment code is an example.

In this case the session tear down cause the temporary attachment manager to "clean itself" up even though the manager object lives on into the next session.

We need to fix Seraph to do something different on basic auth requests and hence not caused the session disruption and other flow on effects from that.

http://jira.atlassian.com/browse/JRA-23188

causes

JRASERVER-23188 Basic auth authentication does not allow files to be attached in 4.2

Closed

Assignee:: Unassigned

Reporter:: ɹǝʞɐq pɐɹq

Participants:: ɹǝʞɐq pɐɹq

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 06/Dec/2010 1:19 AM

Updated:: 01/Apr/2017 7:42 PM

Resolved:: 13/Dec/2010 3:49 AM

Last commented:: 14 years, 16 weeks, 1 day ago

Details

Description

Attachments

Issue Links

Forms

Activity

People

Dates