[
https://issues.jenkins-ci.org/browse/JENKINS-12585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160877#comment-160877
]
Christian Höltje commented on JENKINS-12585:
--------------------------------------------
Just a clarification. It doesn't have to be a static asset.
Tomcat could have (according to the brief description on some stackoverflow
article I can't find now) sent it on any page. It doesn't send JSESSIONID on
every URL requested, but has some logic for when to do it.
The only thing needed to poison apache's cache would be that:
a) A page that is cacheable. This isn't always just pages with an "Expires" or
"Last-Modified" header. The rules are... a little esoteric at times, and who
knows how apache interprets them.
b) A page that sent the Set-Cookie header.
Also, as you mentioned in IRC, there is no point trying to "recover" a poisoned
cache. Your only real choice is to turn off the proxy-cache, or reset it with
either a fix (like CacheIgnoreHeader Set-Cache) or the new as-yet-unwritten
Jenkins.
> SECURITY: LDAP authenticated users switch accounts randomly
> -----------------------------------------------------------
>
> Key: JENKINS-12585
> URL: https://issues.jenkins-ci.org/browse/JENKINS-12585
> Project: Jenkins
> Issue Type: Bug
> Components: security
> Affects Versions: current
> Environment: Mac OSX: 10.6.8 Desktop
> Java version: 1.6.0_29
> Access Control
> * Security Realm: LDAP
> * Authorization: Project-based Matrix Authorization Strategy
> Jenkins: 1.448
> Apache
> * Server version: Apache/2.2.17 (Unix)
> * Server built: Dec 1 2010 09:58:15
> Reporter: guillermo c
> Assignee: Kohsuke Kawaguchi
> Priority: Critical
>
> Running Jenkins behind Apache: mod_proxy with HTTPS
> https://wiki.jenkins-ci.org/display/JENKINS/Running+Jenkins+behind+Apache
> So our setup is
> Open Directory group
> jenkins-admin - Jenkins Admins all
> dev-group-a - Developers can view kick off builds
> Project-based Matrix Authorization Strategy
> Admin all checked
> dev-group-a checked: Overall:Read Job:Read,Build Run:Update
> dev-group-b checked: Overall:Read Job:Read
> issue is I'm an admin and random developer will login and see that there user
> id is mine and can admin jenkins.
> there has been reported cases that developer A will login and actually be
> reported by jenkins as Developer B
> were they can no longer trigger CI builds
> My biggest concern is when users login and are reporting as admins and have
> full access to jenkins.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
