Bug 1161730 - Logout must logout all sessions
Summary: Logout must logout all sessions
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-webadmin
Version: 3.3
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.5.1
Assignee: Vojtech Szocs
QA Contact: Gonza
URL:
Whiteboard: ux
Depends On: 1172703
Blocks: 1167166
TreeView+ depends on / blocked
 
Reported: 2014-11-07 17:53 UTC by Alon Bar-Lev
Modified: 2016-02-10 19:45 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-01-21 16:03:43 UTC
oVirt Team: UX
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 35069 0 master MERGED aaa: filters: enable accept engine session using header Never
oVirt gerrit 35185 0 master MERGED webadmin: Use existing Engine session for REST API integration Never
oVirt gerrit 35188 0 master MERGED aaa: filters: add Prefer new-auth option Never
oVirt gerrit 35246 0 ovirt-engine-3.5 MERGED aaa: filters: enable accept engine session using header Never
oVirt gerrit 35247 0 ovirt-engine-3.5 MERGED aaa: filters: add Prefer new-auth option Never
oVirt gerrit 35248 0 ovirt-engine-3.5 MERGED webadmin: Use existing Engine session for REST API integration Never

Description Alon Bar-Lev 2014-11-07 17:53:20 UTC 
In 3.5.0 there are two sessions between browser and backend:
1. engine
2. restapi

When logout, only (1) is invalidated.

This is incorrect security behavior, all sessions should be invalidated when user logs out.

UI-Plugins included.

Urgent to be fixed for 3.5.1
Comment 1 Alon Bar-Lev 2014-11-12 07:09:27 UTC 
actually since 3.2.2
Comment 2 Sven Kieske 2014-11-18 12:34:52 UTC 
this should block 3.5.1 release, if it's urgent :)
Comment 3 Gonza 2014-12-11 13:46:10 UTC 
Which version is this fixed on? 

This issue is still appearing on:
rhevm-3.5.0-0.23.beta.el6ev.noarch

Steps used to reproduce:
1. Logged in through webadmin and through the API with a session cookie
2. Signed out on webadmin
3. Called the API with the same session cookie and it returned a succesful result
Comment 4 Alon Bar-Lev 2014-12-11 16:03:54 UTC 
(In reply to grafuls from comment #3)
> Which version is this fixed on? 

please try use this repo[1]

[1] http://bob.eng.lab.tlv.redhat.com/builds/latest_vt/
Comment 5 grafuls 2014-12-11 18:54:05 UTC 
Same result, for that version which I hope it's the following:

# yumdb info rhevm
Loaded plugins: product-id, versionlock
rhevm-3.5.0-0.23.beta.el6ev.noarch
     changed_by = 0
     checksum_data = 5c7174bd1d292a6c388b8d88ab1bb15cbd28cddac74719db0d29422cf4c86248
     checksum_type = sha256
     from_repo = rhevm35
     from_repo_revision = 1417692417
     from_repo_timestamp = 1417692437
     installed_by = 0
     reason = user
     releasever = 6Server
Comment 6 Alon Bar-Lev 2014-12-11 19:16:54 UTC 
as far as I can see 45fc369a is applied in this package.

please explain what is: "Logged in through webadmin and through the API with a session cookie"
Comment 7 grafuls 2014-12-12 08:54:14 UTC 
I logged in to the engine webadmin through:
http://[engine-IP]/ovirt-engine/webadmin/

For the RestAPI I connected following this:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Virtualization/3.4/html-single/Technical_Guide/index.html#Authentication_Sessions
Comment 8 Alon Bar-Lev 2014-12-12 11:39:54 UTC 
(In reply to grafuls from comment #7)
> I logged in to the engine webadmin through:
> http://[engine-IP]/ovirt-engine/webadmin/
> 
> For the RestAPI I connected following this:
> https://access.redhat.com/documentation/en-US/
> Red_Hat_Enterprise_Virtualization/3.4/html-single/Technical_Guide/index.
> html#Authentication_Sessions

you created a separate session that is detached from the webadmin session, so it has its own life cycle.

we discuss here the restapi restapi session that is created by webadmin and transfered to ui-plugins for example.
Comment 9 Gonza 2014-12-23 09:05:50 UTC 
Verified on:
rhevm-3.5.0-0.23.beta.el6ev.noarch

Steps:
1. Logged in through webadmin and 2 session cookies were created, one for webadmin and one for API. 
2. Tried to access the API with same cookie headers via curl and got a succesful response.
3. Logged out from webadmin and tried to access the API through curl with the previous cookie headers but got a 401 response requesting for http authentication.
Comment 10 Sandro Bonazzola 2015-01-21 16:03:43 UTC 
oVirt 3.5.1 has been released. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.