Project

General

Profile

Bug #12367

Bad session counting block user login after three session created

Added by François ARMAND 8 months ago. Updated 8 months ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Priority:
94
Tags:

Description

The way http sessions are created and counted is not correct and can even lead to blocking an user from login:

What works: when an user is login, he can open new tabs (for example with middle-clicking on a link) on rudder and the session if correctly shared.

What does not work:

- log-in for a first time in tab1;
- in the same browser, open a new tab (tab2), go to the log-in page
- your are not redirected to the dashboard page (you should)
- log-in with the same user
- tab1 is delogged and come back to the login page

This is the behavior experienced in Rudder 4.1.

But it get worse:

- in tab1 or tab3, go to the loggin page and try to log-in
- tab2 is delogged,
- but there is ALSO a login error in tab1 (or tab3) saying that the maximum number of concurrent session is reached for that user.
- at that point, we didn't find a way for the user to be able to log again but to restart webapp.

So, it seems that:

1/ there is missing linked between current browser / user login status
2/ user session are not correctly destroyed in the mind of spring-security (or the couting is not correct).

At least the dead lock state is critical.


Related issues

Related to Rudder - Bug #12481: When logged > 3 times, oldest session is logged out but not immediatelyRejected

Associated revisions

Revision 81dc7bcc (diff)
Added by François ARMAND 8 months ago

Fixes #12367: Bad session counting block user login after three session created

Revision eff22489 (diff)
Added by François ARMAND 8 months ago

Fixes #12367: Bad session counting block user login after three session created

History

#1 Updated by François ARMAND 8 months ago

  • Target version changed from 4.3.0~rc3 to 4.1.11

It was already a problem (but hidden) in 4.1

#2 Updated by François ARMAND 8 months ago

  • Status changed from New to In progress

#3 Updated by François ARMAND 8 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
  • Pull Request set to https://github.com/Normation/rudder/pull/1891

#4 Updated by François ARMAND 8 months ago

  • Status changed from Pending technical review to Pending release

#6 Updated by Alexis MOUSSET 8 months ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 4.1.11, 4.2.5 and 4.3.0~rc3 which were released today.

#7 Updated by François ARMAND 6 months ago

  • Related to Bug #12481: When logged > 3 times, oldest session is logged out but not immediately added

Also available in: Atom PDF