portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Resolved: (JS2-582) Portlet sessions are not invalidated when the portal session is destroyed with emptySessionPath="true"
Date Sat, 16 Sep 2006 01:36:23 GMT
     [ http://issues.apache.org/jira/browse/JS2-582?page=all ]

Ate Douma resolved JS2-582.

    Resolution: Fixed

Fix committed

> Portlet sessions are not invalidated when the portal session is destroyed with emptySessionPath="true"
> ------------------------------------------------------------------------------------------------------
>                 Key: JS2-582
>                 URL: http://issues.apache.org/jira/browse/JS2-582
>             Project: Jetspeed 2
>          Issue Type: Bug
>          Components: Container
>    Affects Versions: 2.1, 2.1-dev
>         Environment: Tomcat 5.5.17 with Connector setting emptySessionPath="true"
>            Reporter: Ate Douma
>         Assigned To: Ate Douma
>             Fix For: 2.1, 2.1-dev
> To be able to "share" a PortletSession with a servlet accessed directly of a PortletApplication
(as specified by JSR-168), you have to define Tomcat (5.5.x) Connector attribute emptySessionPath="true".
> I recently was required to do this, and then I noticed this had a critical security side-effect
with the current version of Jetspeed.
> The emptySessionPath="true" setting causes only one cookie to be set for the portal root
path which is then shared by all web applications (portal and portlet applications) for one
user connection.
> Now, when you logout in the portal, the portal session is invalidated, *but all the portlet
application sessions remain active*!
> When you login as a different user, you *still* see the session data from the previous
(portal) session.
> Without emptySessionPath="true", the PortletSessions created are actually "shadowing"
the Portal session, and then those get invalid too when the portal session is destroyed.
> The real solution (also already somewhat implicitly indicated by the JSR-168 spec) is
actively invalidating all created PortletApplication sessions when the Portal application
session becomes invalid (logout or timeout).
> I've created a lightweight PortalSessionsManager implementation which seems to work very
> This new component has to be configured as a Portal Service in the spring assembly, which
I will do as default, and then emptySessionPath="true" can safely be used.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message