Bug 1077446
Summary: | [ovirt][webadmin] Session fixation in ovirt webadmin | |||
---|---|---|---|---|
Product: | [Retired] oVirt | Reporter: | lzhuang <lzhuang> | |
Component: | ovirt-engine-webadmin | Assignee: | Alexander Wels <awels> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Stehlik <pstehlik> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 3.4 | CC: | acathrow, alonbl, awels, djorm, ecohen, gklein, huiwang, iheim, jechoi, khong, mgoldboi, sbonazzo, sraje, suli, yeylon, yuzheng | |
Target Milestone: | --- | Keywords: | Security | |
Target Release: | 3.4.1 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | infra | |||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1150424 (view as bug list) | Environment: | ||
Last Closed: | 2014-05-08 13:37:05 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1150424 |
Description
lzhuang
2014-03-18 03:20:28 UTC
This would normally be protected by wrapping the session in HTTPS, correct? Also is the session ID properly terminated if the user hits the log out button? Or can they still login using the old session ID? Answer to comment #1: I don't believe session fixation is prevented by using https. Answer to comment #2: When the user hits the logout button their session is removed from the backend session map. In order to do anything your session must exist in that map. I don't see a session.invalidate() in the logout method. In short yes, I believe the session is terminated, but we should probably do a invalidate on the http session just to be sure. In case we ever store anything important in the http session instead of relying on the existence of the http session in the backend map. All referenced pathches have been merged, shouldn't this be in modified state? This is an automated message oVirt 3.4.1 has been released: * should fix your issue * should be available at your local mirror within two days. If problems still persist, please make note of it in this bug report. |