Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-47577

Session renewed if phishing protection is enabled even if https is required

    Details

      Description

      I set a session attribute in a autologinfilter. When trying to get this attribute in my post-login-hook, the value is always null if session.enable.phishing.protection=true

      All our pages are https (fronted by Apache Web Server) so I thought that having the value

      company.security.auth.requires.https=true
      

      would let me keep the session attributes even with session.enable.phishing.protection=true

      In portal.properties, the information says that:

      #
      # Set this to true to invalidate the session when a user logs into the
      # portal. This helps prevent phishing. Set this to false if you need the
      # guest user and the authenticated user to have the same session.
      #
      # Set this to false if the property "company.security.auth.requires.https"
      # is set to true and you want to maintain the same credentials across HTTP
      # and HTTPS sessions.
      #
      session.enable.phishing.protection=true
      

      My setup in Liferay 6.1.1 works with both properties set to true.

      I notice there's been a change in
      com.liferay.portal.servlet.filters.autologin.AutoLoginFilter:

      AutoLoginFilter
      if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
      	session = LoginUtil.renewSession(request, session);
      }
      

      Should there also be a check if PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS is true or is this by design?

      Not sure if this is related but:
      In com.liferay.portal.util.PortalImpl.isSecure() it seems that the request is not considered secure if both company.security.auth.requires.https and session.enable.phishing.protection is true at the same time
      This seems unchanged between 6.1.1 and 6.2.0

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                4 years, 14 weeks, 3 days ago

                Packages

                Version Package
                6.2.0 CE GA1