Bug 969886
Summary: | Signing out from Katello does not sign current user from Foreman | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Og Maciel <omaciel> |
Component: | Infrastructure | Assignee: | Marek Hulan <mhulan> |
Status: | CLOSED WONTFIX | QA Contact: | Og Maciel <omaciel> |
Severity: | high | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0.1 | CC: | bkearney, cwelton, mmccune |
Target Milestone: | Unspecified | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-22 06:18:48 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Og Maciel
2013-06-02 22:25:57 UTC
This is intentional. Imagine a situation you work on both systems at the same time. You have filled a form with a lot of inputs in Foreman, then in second tab you logout from Katello. If you switched back to Foreman and submitted a form you'd lost all data from form and you would not even know why. I think that would be more confusing. I think most or all SSO works like this. E.g. when you use OpenID providers, logging out from one application does not destroy you session on all other systems. This appears to be a security hardening issue and not a security vulnerability (e.g. there is no need for a CVE/etc.). This issue should probably be fixed as security hardening, my main concern would be if someone finds a CSRF vuln in the product they could then leverage this potentially to gain access/execute commands/etc. We should also document this to ensure there are no unexpected surprises for end users. Also should there be a "log out all my sessions" option like I have seen a number of SSO providers give so that people can force a complete log out if they are worried that someone has used this to gain access/etc. (combined with a password change and so on). Also moving this bug back to being public. Adding support for logging out user from all systems would currently require one change - sessions would have to be stored on server in Katello. Then Signo could store list of all aplication the user was logged into and then enforce logout. It seems as RFE more than a bug to me. Another way (but looks hackish to me since apps can have some logout hooks) would be just to delete cookies for all apps. This would not require changes in Katello. And this would be another limitation for using same domain for all systems. Also the question is, where should this "log out all my sessions" option should be? Only in Signo UI which is usually not displayed to end user (just for login form) or in Foreman and Katello? I still find it more confusing :-) *** Bug 1010042 has been marked as a duplicate of this bug. *** We can CLOSED:WONTFIX this since Signo is going away with the engificiation of Katello removing signo component and moving these bugs to 'Infrastructure' |