Bug #15150
openUser session is not isolated when simultaneous logins with same credentials
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1338013
Description of problem:
Many companies keeps the bad practice of sharing the same admin user and password across all the associates.
In Satellite if simultaneous users login using same credentials the session context is not isolated
So changes of organization context in one will reflect in all the other sessions.
Version-Release number of selected component (if applicable):
Sat 6.2 - RHEL7
How reproducible:
Always (when two or more users login using same credentials)
Steps to Reproduce:
Take a look at the attached screen record.
Actual results:
Organization changes in one session reflects in all the others
Expected results:
Session context isolation
or
Preventing users to login if there is an active session
Additional info:
attached video
Updated by The Foreman Bot almost 8 years ago
- Status changed from New to Ready For Testing
- Assignee set to Ivan Necas
- Pull request https://github.com/theforeman/foreman/pull/3544 added
Updated by Dominic Cleal over 7 years ago
- Status changed from Ready For Testing to New
- Assignee deleted (
Ivan Necas) - Pull request deleted (
https://github.com/theforeman/foreman/pull/3544)
PR closed due to inactivity.
Updated by Rahul Bajaj almost 7 years ago
I fell this feature relates to the design of the project and should be as is.
Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.
Therefore, i guess we must keep this feature as is.
I hope i am thinking on the right track, tell me if i am missing something here :)
Updated by Anurag Patel almost 7 years ago
Rahul Bajaj wrote:
I fell this feature relates to the design of the project and should be as is.
Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.Therefore, i guess we must keep this feature as is.
I hope i am thinking on the right track, tell me if i am missing something here :)
This answers the second part of 'OR' in Expected results.
The original issue was raised for expiring top bar cache when a user's session changes. Caching is only enabled in the production environment, so you may not be able to see this behaviour in development. See the PR