I know for sure it was discussed with Citrix security team before changing it. Probably also on the ACS security list, but I'm not on that list. Anyway, even if the security concern turns out to be illusory, we shouldn't change a claimed security fix without taking it back to the security list.
-- Stephen Turner -----Original Message----- From: Rafael Fonseca [mailto:rsafons...@gmail.com] Sent: 27 May 2015 11:16 To: dev@cloudstack.apache.org Subject: Re: refresh browser - logged out from ACS ? This doesn't really do much for security, since the sessionKey is still available to JS in a window variable, so this mostly just breaks functionality and adds no value. This probably wasn't discusses with security experts before implementation, so this just breaks functionality period. My approach does indeed add some security (set a httponly cookie with the data) and restores session persistence. On Wed, May 27, 2015 at 11:50 AM, Stephen Turner <stephen.tur...@citrix.com> wrote: > Is this being discussed on the security list? I think that's the place > for it, because I wouldn't want us to restore the old behaviour > without a proper audit from security experts. > > -- > Stephen Turner > > > -----Original Message----- > From: Rafael Fonseca [mailto:rsafons...@gmail.com] > Sent: 27 May 2015 10:39 > To: dev@cloudstack.apache.org > Subject: Re: refresh browser - logged out from ACS ? > > Hi guys, > > I had a look at this issue yesterday and created a PR to fix it, it's > being discussed here https://github.com/apache/cloudstack/pull/308 > Since this seems to be a security related issue I will be updating my > PR soon with a secure fix :) > > On Wed, May 27, 2015 at 11:24 AM, Andrija Panic > <andrija.pa...@gmail.com> > wrote: > > > its not the case with i.e. 4.3.2...its is the case with 4.4.3 and > > 4.5.1 at the moment... > > > > On 27 May 2015 at 11:20, Vadim Kimlaychuk > > <vadim.kimlayc...@elion.ee> > > wrote: > > > > > Is it possible to fix? It seems such a behaviour was always be > > > like > this. > > > > > > Vadim. > > > > > > -----Original Message----- > > > From: Andrija Panic [mailto:andrija.pa...@gmail.com] > > > Sent: Wednesday, May 27, 2015 12:17 PM > > > To: dev@cloudstack.apache.org > > > Subject: Re: refresh browser - logged out from ACS ? > > > > > > openign a new windows/tab with same address/URL also break things... > > > > > > > > > On 27 May 2015 at 11:11, Stephen Turner > > > <stephen.tur...@citrix.com> > > wrote: > > > > > > > Agreed, I thought it was on opening a new window (maybe a new > > > > tab > > > > too?) rather than refresh. But maybe refresh broke too as a side > > effect. > > > > > > > > -- > > > > Stephen Turner > > > > > > > > > > > > -----Original Message----- > > > > From: ilya [mailto:ilya.mailing.li...@gmail.com] > > > > Sent: 27 May 2015 04:28 > > > > To: dev@cloudstack.apache.org > > > > Subject: Re: refresh browser - logged out from ACS ? > > > > > > > > But it was not refresh - to best of my recollection.. > > > > > > > > On 5/26/15 8:27 PM, ilya wrote: > > > > > I vaguely recall Rohit mentioned it was some sort of security > > > > > fix that was causing this side effect due to the way > > > > > sessionids were > > > handled.. > > > > > > > > > > On 5/26/15 8:15 AM, Andrija Panic wrote: > > > > >> Thx Rafael, as usuall :) > > > > >> > > > > >> I remember there was some thread on this topic, but cant > > > > >> really find it... > > > > >> > > > > >> On 26 May 2015 at 17:14, Rafael Fonseca > > > > >> <rsafons...@gmail.com> > > wrote: > > > > >> > > > > >>> Hi Andrija, > > > > >>> > > > > >>> I noticed the same is also happening on the 4.6.0-SNAPSHOT .. > > > > >>> it's a bit annoying. > > > > >>> > > > > >>> I'll have a closer look later today if i can find the time > > > > >>> for it > > > > >>> :) > > > > >>> > > > > >>> > > > > >>> On Tue, May 26, 2015 at 4:11 PM, Andrija Panic > > > > >>> <andrija.pa...@gmail.com> > > > > >>> wrote: > > > > >>> > > > > >>>> Hi guys, > > > > >>>> > > > > >>>> just wondering - when I refresh browser/UI I get logged out > > > > >>>> of ACS > > > > >>>> - > > > > >>> 4.4.3 > > > > >>>> (testing with 4.5.1 in few minutes...). > > > > >>>> > > > > >>>> I remember there was some thread on this, but can't really > > > > >>>> find it > > > > >>> anywhere > > > > >>>> This behaviour is not present in 4.3 and prior AFAIK. > > > > >>>> > > > > >>>> Any tips ? > > > > >>>> -- > > > > >>>> > > > > >>>> Andrija Panić > > > > >>>> > > > > >> > > > > >> > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Andrija Panić > > > > > > > > > > > -- > > > > Andrija Panić > > >
