Bug #15150
open
User session is not isolated when simultaneous logins with same credentials
Added by Ivan Necas about 8 years ago.
Updated almost 7 years ago.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1338013
Description of problem:
Many companies keeps the bad practice of sharing the same admin user and password across all the associates.
In Satellite if simultaneous users login using same credentials the session context is not isolated
So changes of organization context in one will reflect in all the other sessions.
Version-Release number of selected component (if applicable):
Sat 6.2 - RHEL7
How reproducible:
Always (when two or more users login using same credentials)
Steps to Reproduce:
Take a look at the attached screen record.
Actual results:
Organization changes in one session reflects in all the others
Expected results:
Session context isolation
or
Preventing users to login if there is an active session
Additional info:
attached video
- Status changed from New to Ready For Testing
- Assignee set to Ivan Necas
- Pull request https://github.com/theforeman/foreman/pull/3544 added
- Status changed from Ready For Testing to New
- Assignee deleted (
Ivan Necas)
- Pull request deleted (
https://github.com/theforeman/foreman/pull/3544)
PR closed due to inactivity.
- Assignee set to Rahul Bajaj
I fell this feature relates to the design of the project and should be as is.
Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.
Therefore, i guess we must keep this feature as is.
I hope i am thinking on the right track, tell me if i am missing something here :)
- Assignee deleted (
Rahul Bajaj)
Rahul Bajaj wrote:
I fell this feature relates to the design of the project and should be as is.
Suppose if you maintain a flag in the database that turns true when logged in
and false when logged out, this could stop other users to login from the same credentials
but what if the browser crashes. Next time the user tries to login, his session will be
on and the flag will still be set to true.
Therefore, i guess we must keep this feature as is.
I hope i am thinking on the right track, tell me if i am missing something here :)
This answers the second part of 'OR' in Expected results.
The original issue was raised for expiring top bar cache when a user's session changes. Caching is only enabled in the production environment, so you may not be able to see this behaviour in development. See the PR
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by