Item11621: User logout when access through HTTP after authenticated

pencil
Priority: Urgent
Current State: Waiting for Feedback
Released In: n/a
Target Release:
Applies To: Extension
Component: HttpsRedirectPlugin
Branches: master
Reported By: RogerioBastos
Waiting For:
Last Change By: GeorgeClark
Hi,

A user authenticated logout when access through HTTP.

-- RogerioBastos - 07 Mar 2012

I think that this might be fixed in latest Foswiki, we now set a secure session cookie separate from the http cookie. If it's not that, I don't understand this issue. Could you explain it a bit better. Thanks

-- GeorgeClark - 20 Mar 2016

To reproduce the bug execute this steps: (1) Access https://foswiki.org/Tasks/Item11621 (2) Authenticate (3) Access http://foswiki.org/Tasks/Item11621 (without SSL). At step (3) you will be unauthenticated.

-- RogerioBastos - 16 May 2016

I'm not sure we can change this behaviour. On an https site, the Session Cookie has the "Secure" flag. This prevents it from being sent to a non-https site. So if you redirect to https for purposes of the login, then the session is stuck to https. If we allow the secure cookie to be delivered to a non-secure site, then it would probably introduce security concerns.

As we use this plugin on foswiki.org in a mixed http / https environment, I'm thinking that things would also work a bit smoother if any actions listed in the {AuthScripts} list redirect to https, not just login. That might reduce the cases where the user loses authentication.

Another change that we've been making in foswiki, primarily for Foswiki 2.2, is to change as many links as possible to relative links, omitting the protocol & hostname. As the base URL for the page is set from the request, it would make it more likely that users on https would "stick", in the case where the DefaultUrlHost is set to http.

-- GeorgeClark - 26 Mar 2017

The next case that needs to be handled. If a user on http: with a lurking https session visits an access-restricted topic, the LoginManager::forceAuthentication is called to cause a 401 authentication request. If it just redirected to https, then the user would already be authenticated. The solution is to "monkey-patch" the login manager, forcing a redirect to the https URL for http requests.

-- GeorgeClark - 27 Mar 2017
 

ItemTemplate edit

Summary User logout when access through HTTP after authenticated
ReportedBy RogerioBastos
Codebase 1.1.4
SVN Range
AppliesTo Extension
Component HttpsRedirectPlugin
Priority Urgent
CurrentState Waiting for Feedback
WaitingFor
Checkins HttpsRedirectPlugin:5c4fda031ea3
ReleasedIn n/a
CheckinsOnBranches master
trunkCheckins
masterCheckins HttpsRedirectPlugin:5c4fda031ea3
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Topic revision: r6 - 28 Mar 2017, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy