[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user DaanHoogland commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120276323 LGTM be sure to add 2 'this closes #' lines. one for this and one for 308 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user wilderrodrigues commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120256667 page refreshes, opening multiple tabs, Nice! I also liked the String.format() calls. I should use it more as well. For some stuff still using MessageFormat from the text package. But String.format() makes life easier and code more readable. LGTM :+1: --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user bhaisaab commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120396037 Thanks for the reviews, merged on 4.5/master now. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user asfgit closed the pull request at: https://github.com/apache/cloudstack/pull/574 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user abhinandanprateek commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120215440 This was much needed. The code looks good to me. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
GitHub user bhaisaab opened a pull request: https://github.com/apache/cloudstack/pull/574 CLOUDSTACK-8622: Reinstate working sessions in browser - Login is based on sessionkey HttpOnly Cookie - ApiServlet does login verification using sessionKey from both the request cookies and the API parameters. In both cases, if either or both are passed they should match the sessionKey stored in the current session of the HttpRequest - UI: it no longer needs to read or set sessionkey cookie - UI: it no longer needs to return g_sessionKey value in the API requests, though to support a sso mechanism it is not removed for that specific case - UI: on logout, all cookies are removed (though this won't remove httponly ones) - Secure jsessionid cookie is set to be HttpOnly and Secure - SAML login should also set HttpOnly cookie before redirecting to UI - SAML: ListIdps API is made a readonly API that won't destroy an existing session Performed tests (login, saml login if applicable, page refreshes, opening multiple tabs, logout) with following combinations: - SAML disabled, normal auth as admin, domain-admin and user - SAML enabled, normal auth as admin, domain-admin and user; and saml sso as admin, domain-admin and user You can merge this pull request into a Git repository by running: $ git pull https://github.com/apache/cloudstack CLOUDSTACK-8622 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/cloudstack/pull/574.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #574 commit 88f63d516860d348b818d1c9149829f3469cd00a Author: Rohit Yadav rohit.ya...@shapeblue.com Date: 2015-07-09T20:58:30Z CLOUDSTACK-8622: Reinstate working sessions in browser - Login is based on sessionkey HttpOnly Cookie - ApiServlet does login verification using sessionKey from both the request cookies and the API parameters. In both cases, if either or both are passed they should match the sessionKey stored in the current session of the HttpRequest - UI: it no longer needs to read or set sessionkey cookie - UI: it no longer needs to return g_sessionKey value in the API requests, though to support a sso mechanism it is not removed for that specific case - UI: on logout, all cookies are removed (though this won't remove httponly ones) - Secure jsessionid cookie is set to be HttpOnly and Secure - SAML login should also set HttpOnly cookie before redirecting to UI - SAML: ListIdps API is made a readonly API that won't destroy an existing session Performed tests (login, saml login if applicable, page refreshes, opening multiple tabs, logout) with following combinations: - SAML disabled, normal auth as admin, domain-admin and user - SAML enabled, normal auth as admin, domain-admin and user; and saml sso as admin, domain-admin and user --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user bhaisaab commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120146560 I reviewed https://github.com/apache/cloudstack/pull/308 and found that it needs more fixes, since that PR is slightly old now, worked on this. This aims to have a good trade off between security and re-enabling session across tabs: the greatest benefit is that refreshing the UI won't log you out. Please review. cc @DaanHoogland @rsafonseca @wilderrodrigues @abhinandanprateek @jlk --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] cloudstack pull request: CLOUDSTACK-8622: Reinstate working sessio...
Github user bhaisaab commented on the pull request: https://github.com/apache/cloudstack/pull/574#issuecomment-120146710 (note: single patch ensures we capture the single aim with this fix and also easy to port to other branches, 4.5/master etc.) --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---