URL: https://github.com/freeipa/freeipa/pull/473 Author: simo5 Title: #473: Fix session/cookie related issues introduced with the privilege separation patches Action: opened
PR body: """ Fixes two bugs opened recently about double cookies being returned and ccache removal """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/473/head:pr473 git checkout pr473
From eae1b88a45329fceb385ab80ebf1beda6ab7f522 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 16 Feb 2017 11:07:31 -0500 Subject: [PATCH 1/2] Change session logout to kill only the cookie Removing the ccache goes to far as it will cause unrelated sessions to fail as well, this is a problem for accounts used to do unattended operations and that may operate in parallel. Fixes https://fedorahosted.org/freeipa/ticket/6682 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/plugins/session.py | 5 +++-- ipaserver/session.py | 34 ---------------------------------- 2 files changed, 3 insertions(+), 36 deletions(-) delete mode 100644 ipaserver/session.py diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py index c700ab9..8e480ed 100644 --- a/ipaserver/plugins/session.py +++ b/ipaserver/plugins/session.py @@ -5,7 +5,6 @@ from ipalib import Command from ipalib.request import context from ipalib.plugable import Registry -from ipaserver.session import logout register = Registry() @@ -21,7 +20,9 @@ def execute(self, *args, **options): ccache_name = getattr(context, 'ccache_name', None) if ccache_name is None: self.debug('session logout command: no ccache_name found') + else: + delattr(context, 'ccache_name') - logout(ccache_name) + setattr(context, 'logout_cookie', '') return dict(result=None) diff --git a/ipaserver/session.py b/ipaserver/session.py deleted file mode 100644 index 6957feb..0000000 --- a/ipaserver/session.py +++ /dev/null @@ -1,34 +0,0 @@ -# Authors: John Dennis <jden...@redhat.com> -# -# Copyright (C) 2011 Red Hat -# see file 'COPYING' for use and warranty information -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. - -import os - -from ipalib.request import context -from ipalib.krb_utils import ( - krb5_parse_ccache, -) - - -def logout(ccache_name=None): - if ccache_name is None: - ccache_name = getattr(context, 'ccache_name', None) - if ccache_name is not None: - scheme, name = krb5_parse_ccache(ccache_name) - if scheme == 'FILE': - os.unlink(name) - setattr(context, 'logout_cookie', '') From a40f8f8bd3597fe8748c523abeed5b554ab74920 Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Thu, 16 Feb 2017 13:29:10 -0500 Subject: [PATCH 2/2] Deduplcate session cookie in headers This removes one of the 2 identical copies of the ipa_session cookie Fixes https://fedorahosted.org/freeipa/ticket/6676 Signed-off-by: Simo Sorce <s...@redhat.com> --- install/conf/ipa.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index f0330c5..635bfe5 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -79,6 +79,11 @@ WSGIScriptReloading Off WSGIApplicationGroup ipa Header always append X-Frame-Options DENY Header always append Content-Security-Policy "frame-ancestors 'none'" + + # mod_session always sets two copies of the cookie, and this confuses our + # legacy clients, the unset here works because it ends up unsetting only one + # of the 2 header tables set by mod_session, leaving the other intact + Header unset Set-Cookie </Location> # Target for login with internal connections
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code