-
Type:
Bug
-
Status: Closed
-
Resolution: Won't Fix
-
Affects Version/s: 6.2.0 CE GA1
-
Fix Version/s: 6.2.0 CE GA1
-
Component/s: Security Vulnerability
-
Labels:None
I set a session attribute in a autologinfilter. When trying to get this attribute in my post-login-hook, the value is always null if session.enable.phishing.protection=true
All our pages are https (fronted by Apache Web Server) so I thought that having the value
company.security.auth.requires.https=true
would let me keep the session attributes even with session.enable.phishing.protection=true
In portal.properties, the information says that:
# # Set this to true to invalidate the session when a user logs into the # portal. This helps prevent phishing. Set this to false if you need the # guest user and the authenticated user to have the same session. # # Set this to false if the property "company.security.auth.requires.https" # is set to true and you want to maintain the same credentials across HTTP # and HTTPS sessions. # session.enable.phishing.protection=true
My setup in Liferay 6.1.1 works with both properties set to true.
I notice there's been a change in
com.liferay.portal.servlet.filters.autologin.AutoLoginFilter:
if (PropsValues.SESSION_ENABLE_PHISHING_PROTECTION) {
session = LoginUtil.renewSession(request, session);
}
Should there also be a check if PropsValues.COMPANY_SECURITY_AUTH_REQUIRES_HTTPS is true or is this by design?
Not sure if this is related but:
In com.liferay.portal.util.PortalImpl.isSecure() it seems that the request is not considered secure if both company.security.auth.requires.https and session.enable.phishing.protection is true at the same time
This seems unchanged between 6.1.1 and 6.2.0