jasig-ssp IRC Logs-2013-08-16

Owned by Apereo Infrastructure
Last updated: Aug 16, 2013
2 min read

[11:39:21 CDT(-0500)] <TonyUnicon1> DEV: 10:38:21.555 [http-8080-1] WARN o.s.s.w.a.s.SessionFixationProtectionStrategy - Your servlet container did not change the session ID when a new session was created. You will not be adequately protected against session-fixation attacks

[11:39:31 CDT(-0500)] <TonyUnicon1> is this something to worry about?

[11:39:36 CDT(-0500)] <TonyUnicon1> I don't think I've seen it before

[11:39:44 CDT(-0500)] <pspaude> I've been seeing that too and no it wasn't there before

[11:40:37 CDT(-0500)] <dmccallum54> it's "ok"

[11:40:46 CDT(-0500)] <dmccallum54> we've always been running with that

[11:40:57 CDT(-0500)] <dmccallum54> with session fixation protection disabled i mean

[11:41:08 CDT(-0500)] <TonyUnicon1> ok

[11:41:09 CDT(-0500)] <dmccallum54> but the oauth changes upgraded springsecurity

[11:41:24 CDT(-0500)] <dmccallum54> so i think that's what's causing the new log message

[11:41:36 CDT(-0500)] <TonyUnicon1> alright

[11:41:37 CDT(-0500)] <pspaude> I'm getting spring security stuff too with it so I think you are right

[11:41:42 CDT(-0500)] <pspaude> cool

[11:41:50 CDT(-0500)] <dmccallum54> running without the protection sucks

[11:42:05 CDT(-0500)] <dmccallum54> but if we turn it on there's a race condition that blows up 1st time logins

[11:43:49 CDT(-0500)] <pspaude> If its only first time document it and let the users deal with it. (smile)

[11:43:57 CDT(-0500)] <dmccallum54> https://issues.jasig.org/browse/SSP-357

[11:44:08 CDT(-0500)] <pspaude> IE: The first time is just to get SSP ready for your login. Refresh and re-login again to complete SSP login functinality.

[11:45:14 CDT(-0500)] <dmccallum54> as log as uP is handling auth for us, we should be OK without fixation protection… and oauth doesn't use sessions

[11:45:52 CDT(-0500)] <dmccallum54> if we ever do have to run in true standalone mode we'll need to revisit the issue

[11:46:29 CDT(-0500)] <dmccallum54> we really shouldn't need sessions at all, tho. it's just b/c of uportal that they get involved at all

[11:46:33 CDT(-0500)] <dmccallum54> but anyway

[11:46:36 CDT(-0500)] <dmccallum54> horse. beaten.

[11:56:46 CDT(-0500)] <js70> not enough.

[11:57:07 CDT(-0500)] <dmccallum54> i think js70 is coming around to my … perspective… on ssp+uP

[11:57:37 CDT(-0500)] <js70> :^)