[Engine-patches] Change in ovirt-engine[master]: userportal, webadmin: prevent session fixation

Mon, 07 Apr 2014 08:08:37 -0700 

Alexander Wels has posted comments on this change.

Change subject: userportal, webadmin: prevent session fixation
......................................................................


Patch Set 1:

(1 comment)

http://gerrit.ovirt.org/#/c/25959/1/frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java
File 
frontend/webadmin/modules/frontend/src/main/java/org/ovirt/engine/ui/frontend/server/gwt/GenericApiGWTServiceImpl.java:

Line 175:         getSession().invalidate();
Line 176:         // Calling getSession again after invalidating it should 
create a new session.
Line 177:         HttpSession newSession = getSession();
Line 178:         assert !newSession.equals(originalSession) : "new session the 
same as old session"; //$NON-NLS-1$
Line 179: 
> I think that attributes of old session shouldn't be carried over to new ses
The scenario for 'copying' the attributes is the usually the following:

- I am not logged in and I go to a protected location.
- I get redirected to the login page. The page I came from is stored in my http 
session.
- To prevent fixation, a new session is created.
- The original location needs to be copied into the new session so we can 
redirect the user back to their original location

I don't think this scenario is valid in our case, I just wanted to point it out 
that is all.
Line 180:         params.setSessionId(getSession().getId());
Line 181:         params.setActionType(loginType);
Line 182:         VdcReturnValueBase returnValue = getBackend().login(params);
Line 183:         return returnValue;


-- 
To view, visit http://gerrit.ovirt.org/25959
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I3df427683c924f10cb59f4af1dd067fcfd21a8f2
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alexander Wels <aw...@redhat.com>
Gerrit-Reviewer: Alexander Wels <aw...@redhat.com>
Gerrit-Reviewer: Einav Cohen <eco...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
Gerrit-Reviewer: automat...@ovirt.org
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to