Uploaded image for project: 'atlassian-seraph'
  1. atlassian-seraph
  2. SER-95

Cookie login fails if a previous filter creates a session

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Medium
    • 2.5.2
    • 0.7.20
    • None

    • JDK 1.4.2, Tomcat 5.5.25

    • false

    Description

      If a Filter prior to LoginFilter/SecurityFilter creates a session with request.getSession(), then cookie-based autologin will fail.

      This is because DefaultAuthenticator.getUser(request, response) tests for an existing session. Upon finding one, it assumes that this session was created by Seraph and looks for the user. If it finds none, then it skips cookie auth and tries basic auth.

      It would be better to try cookie auth if no sessionUser is found and not assume the existence of a session means Seraph had a go at the authentication already.

      Attachments

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. SER-110 Logging out clears cookie put possibly doesn't clear session info

          • Medium - Medium priority issues
          • Closed
          duplicates

          Bug - A problem which impairs or prevents the functions of the product. SER-92 Session is needlessly created by HttpSecurityWrapper::getUserPrincipal

          • Low - Low priority issues
          • RESOLVED
          relates to

          Bug - A problem which impairs or prevents the functions of the product. SER-114 Basic HTTP authentication broken by previous changes

          • High - High priority issues
          • Closed

          Activity

            People

              gsmith@atlassian.com Graeme Smith
              71287a7980d2 Matt Bishop
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                12 years, 26 weeks, 1 day ago