server: Purge all cookies on logout, set /client path on login #4176
Conversation
This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the /client path like the JSESSIONID cookie. Fixes apache#4136 Signed-off-by: Rohit Yadav <[email protected]>
|
Please review and test @davidjumani @shwstppr cc @Pearl1594 |
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
| responseString = apiAuthenticator.authenticate(command, params, session, remoteAddress, responseType, auditTrailSb, req, resp); | ||
| if (session != null && session.getAttribute(ApiConstants.SESSIONKEY) != null) { | ||
| resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); | ||
| resp.addHeader("SET-COOKIE", String.format("%s=%s;HttpOnly;Path=/client", ApiConstants.SESSIONKEY, session.getAttribute(ApiConstants.SESSIONKEY))); |
There was a problem hiding this comment.
We need to check if this is necessary or not
There was a problem hiding this comment.
@davidjumani please explore if this would work, without adding the /client path to the cookie; as I worry if this change can potentially break non-standard env (those which don't use the default context path of /client as defined in /etc/cloudstack/management/server.properties)
There was a problem hiding this comment.
Looks like it is necessary, if not present, two sessionkeys are present
If non-standard implementations are the case, wouldn't JSESSIONID cause issues too?
Also exploring saml logins
There was a problem hiding this comment.
@davidjumani in a deploy trillian env with this PR (or you may use the primate-qa server as well which has this PR) and both old UI and Primate, can you check side-effects when you change the context in /etc/cloudstack/management/server.properties from /client/ to say (a) /somenew-path and (b) / and restart management server and try log-in in both legacy UI and Primate (check network an Application/cookies)
There was a problem hiding this comment.
Nevermind I tested, this will break if path is restricted to /client only; ideally shoud match the webapp context path
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✖centos7 ✖debian. JID-1452 |
| sessionKeyCookie.setMaxAge(0); | ||
| resp.addCookie(sessionKeyCookie); | ||
| final Cookie[] cookies = req.getCookies(); | ||
| if (cookies != null) |
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos7 ✔debian. JID-1453 |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos7 ✖debian. JID-1462 |
|
Tested for local / saml users. LGTM |
|
@davidjumani did you also test changing the context path from server properties? |
|
Works when the context path is changed to |
|
@blueorangutan package |
|
@rhtyd a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos7 ✔debian. JID-1531 |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@blueorangutan test |
|
@rhtyd a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
@davidjumani can you help review/test/fix, thnx |
|
@Pearl1594 @davidjumani any progress on this? |
|
@blueorangutan package |
|
@rhtyd looking into it |
|
@Pearl1594 a Jenkins job has been kicked to build packages. I'll keep you posted as I make progress. |
|
Packaging result: ✔centos7 ✔debian. JID-1551 |
|
@rhtyd it works now - for both changing context.path to a value other that /client and for / |
|
@blueorangutan test |
|
@Pearl1594 a Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests |
|
Trillian test result (tid-2026)
|
|
Tests lgtm |
…e#4176) This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the / path. Fixes apache#4136 Co-authored-by: Pearl Dsilva <[email protected]>
…e#4176) This will purge all the cookies on logout including multiple sessionkey cookies if passed. On login, this will restrict sessionkey cookie (httponly) to the / path. Fixes apache#4136 Co-authored-by: Pearl Dsilva <[email protected]>
5 participants
This will purge all the cookies on logout including multiple sessionkey
cookies if passed. On login, this will restrict sessionkey cookie
(httponly) to the /client path like the JSESSIONID cookie.
Fixes #4136
Types of changes
Needs manual testing