Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0037667Openbravo ERPA. Platformpublic2018-01-18 11:302018-02-22 18:19
Reportermarvintm 
Assigned Tomarvintm 
PriorityhighSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR18Q2 
Merge Request Status
Review Assigned Toalostale
OBNetwork customerOBPS
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0037667: Cookie should be regenerated when logging in the application
DescriptionThe cookie identifier should be regenerated when login occurrs, to prevent some malicious user from having a valid session by getting the cookie identifier before a valid user logs in.
Steps To Reproduce.
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2018-01-18 11:30marvintmNew Issue
2018-01-18 11:30marvintmAssigned To => Retail
2018-01-18 11:30marvintmOBNetwork customer => No
2018-01-18 11:30marvintmModules => Core
2018-01-18 11:30marvintmTriggers an Emergency Pack => No
2018-01-19 10:54marvintmResolution time => 1517526000
2018-01-19 10:54marvintmOBNetwork customerNo => Yes
2018-01-26 14:21hgbotCheckin
2018-01-26 14:21hgbotNote Added: 0101998
2018-01-26 14:21hgbotStatusnew => resolved
2018-01-26 14:21hgbotResolutionopen => fixed
2018-01-26 14:21hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/4bf409c90fd1d716d76f8f4d3f582222316c10cd [^]
2018-01-26 14:21hgbotCheckin
2018-01-26 14:21hgbotNote Added: 0101999
2018-01-26 14:21hgbotCheckin
2018-01-26 14:21hgbotNote Added: 0102000
2018-01-26 14:21hgbotFixed in SCM revisionhttp://code.openbravo.com/erp/devel/pi/rev/4bf409c90fd1d716d76f8f4d3f582222316c10cd [^] => http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/ca10efa411dc8d9c707ad03a65aa0c8ff6409e4e [^]
2018-01-29 09:16marvintmReview Assigned To => alostale
2018-01-29 09:16marvintmAssigned ToRetail => marvintm
2018-02-02 09:09hgbotCheckin
2018-02-02 09:09hgbotNote Added: 0102133
2018-02-02 09:10alostaleNote Added: 0102134
2018-02-02 09:10alostaleStatusresolved => closed
2018-02-02 09:10alostaleFixed in Version => 3.0PR18Q2
2018-02-20 10:49hgbotCheckin
2018-02-20 10:49hgbotNote Added: 0102521
2018-02-22 18:18hudsonbotCheckin
2018-02-22 18:18hudsonbotNote Added: 0102690
2018-02-22 18:18hudsonbotCheckin
2018-02-22 18:18hudsonbotNote Added: 0102691
2018-02-22 18:18hudsonbotCheckin
2018-02-22 18:18hudsonbotNote Added: 0102709
2018-02-22 18:19hudsonbotCheckin
2018-02-22 18:19hudsonbotNote Added: 0102779

Notes
(0101998)
hgbot   
2018-01-26 14:21   
Repository: erp/devel/pi
Changeset: 4bf409c90fd1d716d76f8f4d3f582222316c10cd
Author: Antonio Moreno <antonio.moreno <at> openbravo.com>
Date: Thu Jan 25 17:45:45 2018 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/4bf409c90fd1d716d76f8f4d3f582222316c10cd [^]

Fixed issue 37667. Cookie identifier will now be regenerated just after logging in the application.
Now every login the session will be invalidated and regenerated immediately, thus forcing a cookie identifier reset.

---
M src/org/openbravo/base/secureApp/LoginHandler.java
---
(0101999)
hgbot   
2018-01-26 14:21   
Repository: erp/devel/pi
Changeset: b53aa5f1574afc534deaa235f42364784756d8d0
Author: Antonio Moreno <antonio.moreno <at> openbravo.com>
Date: Fri Jan 26 09:37:51 2018 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/b53aa5f1574afc534deaa235f42364784756d8d0 [^]

Related to issue 37667. Cookie won't be reset in password reset flow, as it was just reset in the previous request.

---
M src/org/openbravo/base/secureApp/LoginHandler.java
---
(0102000)
hgbot   
2018-01-26 14:21   
Repository: erp/pmods/org.openbravo.mobile.core
Changeset: ca10efa411dc8d9c707ad03a65aa0c8ff6409e4e
Author: Antonio Moreno <antonio.moreno <at> openbravo.com>
Date: Thu Jan 25 17:41:37 2018 +0100
URL: http://code.openbravo.com/erp/pmods/org.openbravo.mobile.core/rev/ca10efa411dc8d9c707ad03a65aa0c8ff6409e4e [^]

Fixed issue 37667. Cookie identifier will now be regenerated just after logging in the application.
super.doPost() is now called before setting session information, because the main core implementation of LoginHandler now invalidates and generates a new session to force a cookie identifier reset.
Besides, it's no longer necessary to clear the session because the previous one is already invalidated.

---
M src/org/openbravo/mobile/core/login/MobileCoreLoginHandler.java
---
(0102133)
hgbot   
2018-02-02 09:09   
Repository: erp/devel/pi
Changeset: 5ae490fd31460fdf1880611bb15426f448d4c7ca
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Feb 02 09:09:39 2018 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/5ae490fd31460fdf1880611bb15426f448d4c7ca [^]

related to issue 37667: Cookie should be regenerated when logging

  -removed uncommented param in javadoc
  -updated copyright

---
M src/org/openbravo/base/secureApp/LoginHandler.java
---
(0102134)
alostale   
2018-02-02 09:10   
reviewed + tested
(0102521)
hgbot   
2018-02-20 10:49   
Repository: erp/devel/pi
Changeset: 1f779d1c4bf0783e42d12140b97db18a8b0ac2ac
Author: Jorge Garcia <jorge.garcia <at> openbravo.com>
Date: Tue Feb 20 10:48:55 2018 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/1f779d1c4bf0783e42d12140b97db18a8b0ac2ac [^]

Verifies issue 37667: Cookie should be regenerated when logging in the application

Added ResetCookieOnLogin test.

---
M src-test/src/org/openbravo/test/AllWebserviceTests.java
A src-test/src/org/openbravo/test/datasource/ResetCookieOnLogin.java
---
(0102690)
hudsonbot   
2018-02-22 18:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test
(0102691)
hudsonbot   
2018-02-22 18:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test
(0102709)
hudsonbot   
2018-02-22 18:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test
(0102779)
hudsonbot   
2018-02-22 18:19   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test