[jira] [Commented] (GUACAMOLE-1871) Multiple connections from the same browser not possible with JSON authentication

Mon, 23 Oct 2023 09:59:04 -0700 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17778754#comment-17778754
 ] 

Mike Jumper commented on GUACAMOLE-1871:
----------------------------------------

The user's session is established as a result of an 
authentication/authorization process that occurs each time a page in Guacamole 
is visited. Extensions can choose to re-authenticate and re-authorize to take 
into account data that may be different, including new data provided in the 
URL, but this is not required. The JSON auth extension is one that does not 
update the session.

The JSON extension could be enhanced to update the session in response to new, 
valid JSON, though there would be implementation questions to be settled that 
may not have clear answers:

* What if the new JSON has a different username?
* What if data within the new JSON conflicts with data in the old JSON, such as 
changing properties of a connection?
* How do we reconcile the declared expiration timestamp of old data vs. new 
data? Dynamically track and let _part _of the session fall off?

The extension is currently working as designed.

> Multiple connections from the same browser not possible with JSON 
> authentication
> --------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1871
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1871
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacamole-auth-json
>    Affects Versions: 1.4.0, 1.5.2
>            Reporter: phreakocious
>            Priority: Minor
>
> When only JSON authentication is in use, it is not possible to have multiple 
> connections open from the same browser.
>  *  a connection has been established already using {{?data=connection1_json}}
>  *  a subsequent request for {{?data=connection2_json}} is submitted
>  *  the json is not decrypted or validated
>  *  the user is redirected to {{{}/client/...?data=connection2_json{}}}, but 
> the json is ignored and a second connection is made to {{connection1}}
> It appears that the original session is cached in some way.  Adding something 
> to the JSON body or a URL parameter to control this unintuitive behavior 
> would be very helpful.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to