Uploaded image for project: 'DSpace'
  1. DSpace
  2. DS-4507

Token persistence after Logout

    XMLWordPrintable

    Details

    • Attachments:
      0
    • Comments:
      8
    • Documentation Status:
      Not Required

      Description

      I think I found an issue with logout regarding token persistence after a shibboleth logout process. You could replicate it by doing the following:

      1. Please mind to test this you need to have shibboleth authentication active on your server (you can have others)
         plugin.sequence.org.dspace.authenticate.AuthenticationMethod = org.dspace.authenticate.ShibAuthentication
      2. Activate your browser inspector to grab the token
      3. Login using with your shibboleth (via angular interface)
      4. Through the Browser Inspector try to grab the Bearer token on one of your server requests
      5. Logout via angular
      6. Using a shell terminal execute a curl request for authn status, like:
        curl -k -v "https://YOUR_SERVER/server/api/authn/status" -H "Authorization: Bearer eyJhbGc_YOUR_TOKEN...."{{  }}  
         
        I'm getting something like:
        {"id":null,"okay":true,"authenticated":true,"type":"status","_links":{"eperson":{"href":"https://MY_SERVER/server/api/eperson/epersons/931054dc-f4c2-40e8-ace3-37d288b87512"},"self":{"href":"https://MY_SERVER/server/api/authn/status"}}}
         

      This means the established session is still active and can, in theory, be re-used. This is a security issue that needs to be fixed.

      Note: this has nothing to do with SLO https://jira.lyrasis.org/browse/DS-4464 . When a user deliberately terminates his session. It's expected the token to be invalidated.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            paulo_graca Paulo Graça
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: