Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-47577

Session renewed if phishing protection is enabled even if https is required

    Details

      Description

      I set a session attribute in a autologinfilter. When trying to get this attribute in my post-login-hook, the value is always null if session.enable.phishing.protection=true

      All our pages are https (fronted by Apache Web Server) so I thought that having the value

      company.security.auth.requires.https=true
      

      would let me keep the session attributes even with session.enable.phishing.protection=true

      In portal.properties, the information says that:

      #
      # Set this to true to invalidate the session when a user logs into the
      # portal. This helps prevent phishing. Set this to false if you need the
      # guest user and the authenticated user to have the same session.
      #
      # Set this to false if the property "company.security.auth.requires.https"
      # is set to true and you want to maintain the same credentials across HTTP
      # and HTTPS sessions.
      #
      session.enable.phishing.protection=true
      

      My setup in Liferay 6.1.1 works with both properties set to true.

      I notice there's been a change in
      com.liferay.portal.servlet.filters.autologin.AutoLoginFilter:

      AutoLoginFilter
      if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
      	session = LoginUtil.renewSession(request, session);
      }
      

      Should there also be a check if PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS is true or is this by design?

      Not sure if this is related but:
      In com.liferay.portal.util.PortalImpl.isSecure() it seems that the request is not considered secure if both company.security.auth.requires.https and session.enable.phishing.protection is true at the same time
      This seems unchanged between 6.1.1 and 6.2.0

        Attachments

          Activity

            People

            Assignee:
            tomas.polesovsky Tomáš Polešovský
            Reporter:
            13thbit Thomas Berg (Inactive)
            Participants of an Issue:
            Recent user:
            Esther Sanz
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              6 years, 2 weeks, 5 days ago

                Packages

                Version Package
                6.2.0 CE GA1