Project

General

Profile

Actions

Bug #15150

open

User session is not isolated when simultaneous logins with same credentials

Added by Ivan Necas almost 8 years ago. Updated almost 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1338013
Description of problem:

Many companies keeps the bad practice of sharing the same admin user and password across all the associates.

In Satellite if simultaneous users login using same credentials the session context is not isolated

So changes of organization context in one will reflect in all the other sessions.

Version-Release number of selected component (if applicable):

Sat 6.2 - RHEL7

How reproducible:

Always (when two or more users login using same credentials)

Steps to Reproduce:
Take a look at the attached screen record.

Actual results:

Organization changes in one session reflects in all the others

Expected results:

Session context isolation
or
Preventing users to login if there is an active session

Additional info:
attached video

Actions #1

Updated by The Foreman Bot almost 8 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ivan Necas
  • Pull request https://github.com/theforeman/foreman/pull/3544 added
Actions #2

Updated by Dominic Cleal over 7 years ago

  • Status changed from Ready For Testing to New
  • Assignee deleted (Ivan Necas)
  • Pull request deleted (https://github.com/theforeman/foreman/pull/3544)

PR closed due to inactivity.

Actions #3

Updated by Rahul Bajaj almost 7 years ago

  • Assignee set to Rahul Bajaj
Actions #4

Updated by Rahul Bajaj almost 7 years ago

I fell this feature relates to the design of the project and should be as is.

Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.

Therefore, i guess we must keep this feature as is.

I hope i am thinking on the right track, tell me if i am missing something here :)

Actions #5

Updated by Rahul Bajaj almost 7 years ago

  • Assignee deleted (Rahul Bajaj)
Actions #6

Updated by Anurag Patel almost 7 years ago

Rahul Bajaj wrote:

I fell this feature relates to the design of the project and should be as is.

Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.

Therefore, i guess we must keep this feature as is.

I hope i am thinking on the right track, tell me if i am missing something here :)

This answers the second part of 'OR' in Expected results.

The original issue was raised for expiring top bar cache when a user's session changes. Caching is only enabled in the production environment, so you may not be able to see this behaviour in development. See the PR

Actions

Also available in: Atom PDF