portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ate Douma (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Created: (JS2-582) Portlet sessions are not invalidated when the portal session is destroyed with emptySessionPath="true"
Date Sat, 16 Sep 2006 01:34:22 GMT
Portlet sessions are not invalidated when the portal session is destroyed with emptySessionPath="true"

                 Key: JS2-582
                 URL: http://issues.apache.org/jira/browse/JS2-582
             Project: Jetspeed 2
          Issue Type: Bug
          Components: Container
    Affects Versions: 2.1, 2.1-dev
         Environment: Tomcat 5.5.17 with Connector setting emptySessionPath="true"
            Reporter: Ate Douma
         Assigned To: Ate Douma
             Fix For: 2.1, 2.1-dev

To be able to "share" a PortletSession with a servlet accessed directly of a PortletApplication
(as specified by JSR-168), you have to define Tomcat (5.5.x) Connector attribute emptySessionPath="true".
I recently was required to do this, and then I noticed this had a critical security side-effect
with the current version of Jetspeed.

The emptySessionPath="true" setting causes only one cookie to be set for the portal root path
which is then shared by all web applications (portal and portlet applications) for one user
Now, when you logout in the portal, the portal session is invalidated, *but all the portlet
application sessions remain active*!
When you login as a different user, you *still* see the session data from the previous (portal)
Without emptySessionPath="true", the PortletSessions created are actually "shadowing" the
Portal session, and then those get invalid too when the portal session is destroyed.

The real solution (also already somewhat implicitly indicated by the JSR-168 spec) is actively
invalidating all created PortletApplication sessions when the Portal application session becomes
invalid (logout or timeout).

I've created a lightweight PortalSessionsManager implementation which seems to work very well.
This new component has to be configured as a Portal Service in the spring assembly, which
I will do as default, and then emptySessionPath="true" can safely be used.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message