Is this being discussed on the security list? I think that's the place for it, because I wouldn't want us to restore the old behaviour without a proper audit from security experts.
-- Stephen Turner -----Original Message----- From: Rafael Fonseca [mailto:rsafons...@gmail.com] Sent: 27 May 2015 10:39 To: dev@cloudstack.apache.org Subject: Re: refresh browser - logged out from ACS ? Hi guys, I had a look at this issue yesterday and created a PR to fix it, it's being discussed here https://github.com/apache/cloudstack/pull/308 Since this seems to be a security related issue I will be updating my PR soon with a secure fix :) On Wed, May 27, 2015 at 11:24 AM, Andrija Panic <andrija.pa...@gmail.com> wrote: > its not the case with i.e. 4.3.2...its is the case with 4.4.3 and > 4.5.1 at the moment... > > On 27 May 2015 at 11:20, Vadim Kimlaychuk <vadim.kimlayc...@elion.ee> > wrote: > > > Is it possible to fix? It seems such a behaviour was always be like this. > > > > Vadim. > > > > -----Original Message----- > > From: Andrija Panic [mailto:andrija.pa...@gmail.com] > > Sent: Wednesday, May 27, 2015 12:17 PM > > To: dev@cloudstack.apache.org > > Subject: Re: refresh browser - logged out from ACS ? > > > > openign a new windows/tab with same address/URL also break things... > > > > > > On 27 May 2015 at 11:11, Stephen Turner <stephen.tur...@citrix.com> > wrote: > > > > > Agreed, I thought it was on opening a new window (maybe a new tab > > > too?) rather than refresh. But maybe refresh broke too as a side > effect. > > > > > > -- > > > Stephen Turner > > > > > > > > > -----Original Message----- > > > From: ilya [mailto:ilya.mailing.li...@gmail.com] > > > Sent: 27 May 2015 04:28 > > > To: dev@cloudstack.apache.org > > > Subject: Re: refresh browser - logged out from ACS ? > > > > > > But it was not refresh - to best of my recollection.. > > > > > > On 5/26/15 8:27 PM, ilya wrote: > > > > I vaguely recall Rohit mentioned it was some sort of security > > > > fix that was causing this side effect due to the way sessionids > > > > were > > handled.. > > > > > > > > On 5/26/15 8:15 AM, Andrija Panic wrote: > > > >> Thx Rafael, as usuall :) > > > >> > > > >> I remember there was some thread on this topic, but cant really > > > >> find it... > > > >> > > > >> On 26 May 2015 at 17:14, Rafael Fonseca <rsafons...@gmail.com> > wrote: > > > >> > > > >>> Hi Andrija, > > > >>> > > > >>> I noticed the same is also happening on the 4.6.0-SNAPSHOT .. > > > >>> it's a bit annoying. > > > >>> > > > >>> I'll have a closer look later today if i can find the time for > > > >>> it > > > >>> :) > > > >>> > > > >>> > > > >>> On Tue, May 26, 2015 at 4:11 PM, Andrija Panic > > > >>> <andrija.pa...@gmail.com> > > > >>> wrote: > > > >>> > > > >>>> Hi guys, > > > >>>> > > > >>>> just wondering - when I refresh browser/UI I get logged out > > > >>>> of ACS > > > >>>> - > > > >>> 4.4.3 > > > >>>> (testing with 4.5.1 in few minutes...). > > > >>>> > > > >>>> I remember there was some thread on this, but can't really > > > >>>> find it > > > >>> anywhere > > > >>>> This behaviour is not present in 4.3 and prior AFAIK. > > > >>>> > > > >>>> Any tips ? > > > >>>> -- > > > >>>> > > > >>>> Andrija Panić > > > >>>> > > > >> > > > >> > > > > > > > > > > > > > > > > -- > > > > Andrija Panić > > > > > > -- > > Andrija Panić >
