Project

General

Profile

Actions

Bug #12367

closed

Bad session counting block user login after three session created

Added by François ARMAND over 6 years ago. Updated over 6 years ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Getting started - demo | first install | level 1 Techniques
Effort required:
Priority:
94
Name check:
Fix check:
Regression:

Description

The way http sessions are created and counted is not correct and can even lead to blocking an user from login:

What works: when an user is login, he can open new tabs (for example with middle-clicking on a link) on rudder and the session if correctly shared.

What does not work:

- log-in for a first time in tab1;
- in the same browser, open a new tab (tab2), go to the log-in page
- your are not redirected to the dashboard page (you should)
- log-in with the same user
- tab1 is delogged and come back to the login page

This is the behavior experienced in Rudder 4.1.

But it get worse:

- in tab1 or tab3, go to the loggin page and try to log-in
- tab2 is delogged,
- but there is ALSO a login error in tab1 (or tab3) saying that the maximum number of concurrent session is reached for that user.
- at that point, we didn't find a way for the user to be able to log again but to restart webapp.

So, it seems that:

1/ there is missing linked between current browser / user login status
2/ user session are not correctly destroyed in the mind of spring-security (or the couting is not correct).

At least the dead lock state is critical.


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #12481: When logged > 3 times, oldest session is logged out but not immediatelyRejectedActions
Actions

Also available in: Atom PDF