search

benlucchesi / grails-cookie-session

cookie sessions for grails applications
28 stars 32 forks source link

logout with spring-security enabled #28

Closed th3morg closed 10 years ago

th3morg commented 10 years ago

First off, thank you very much for providing this plugin and continuing the development effort on it.

Everything seems to work fine for me while using the plugin in tandem with spring-security, however logout doesn't seem to function properly. When I log out via the provided spring-security controller, my cookie remains stored in the browser and subsequent log in attempts fail to replace the cookie. When I delete the cookie manually, I am then able to log in.

Here is my config for reference:

cookiesession { enabled = true encryptcookie = true cryptoalgorithm = "Blowfish" cookiecount = 10 maxcookiesize = 4096 // 4kb sessiontimeout = 3600 * 24 // one day cookiename = 'some.name' condenseexceptions = true setsecure = false serializer = 'java' springsecuritycompatibility = true }

I appreciate any help you can provide. I will continue to investigate.

Thanks!

benlucchesi commented 10 years ago

That doesn't sound good.

What is the exact URL you're going to log out or are you trying to go to the dispatch handler directly? If you're trying to go to the dispatch handler directly, try going to: http://

//logout

Also, if you're using spring security, I highly recommend using Kryo encryption. Java encryption is reliable, but with all the spring security data that can potentially get added to the cookie, you may run out of space.

Can you give me steps to reproduce?

thanks,

Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396

From: th3morg [notifications@github.com] Sent: Wednesday, December 11, 2013 7:44 AM To: benlucchesi/grails-cookie-session-v2 Subject: [grails-cookie-session-v2] logout with spring-security enabled (#28)

First off, thank you very much for providing this plugin and continuing the development effort on it.

Everything seems to work fine for me while using the plugin in tandem with spring-security, however logout doesn't seem to function properly. When I log out via the provided spring-security controller, my cookie remains stored in the browser and subsequent log in attempts fail to replace the cookie. When I delete the cookie manually, I am then able to log in.

Here is my config for reference:

cookiesession { enabled = true encryptcookie = true cryptoalgorithm = "Blowfish" cookiecount = 10 maxcookiesize = 4096 // 4kb sessiontimeout = 3600 * 24 // one day cookiename = 'some.name' condenseexceptions = true setsecure = false serializer = 'java' springsecuritycompatibility = true }

I appreciate any help you can provide. I will continue to investigate.

Thanks!

— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/28.

th3morg commented 10 years ago

Ben, Thank you for getting back to me so quickly and for the recommendation on serializer choice. I am indeed going to http://localhost:8080/logout (I have my app.context set to /). I determined that what is happening is that a Grails anonymous user authentication ends up getting saved after I log out (which I believe may be an issue due to how the Grails spring-security plugin handles anonymous users in 2.0). Then when I try to log back in, there is an existing session because that cookie was written. This cookie gets loaded into the session, so when SessionRepositoryRequestWrapper.getSession(true) is called within SessionFixationProtectionStrategy.applySessionFixation(), the session is not null and the new session with the newly authenticated user is not created. My expectation would be that SessionRepositoryRequestWrapper.getSession would also create a new session with something like "if( (session == null || !session.isValid()) && create )" so that invalidated sessions would also result in a new session getting created. I would like to test this and then have you pull it in if it is a successful and logical implementation change.

Also, my spring config has the following:

    springsecurity {
        sessionFixationPrevention {
            migrate = true
            alwaysCreateSession = true
        }

To reproduce this, I would expect that you would have do the following:

  1. Create a Grails 2.3.0 app
  2. Install spring-security-core: compile ':spring-security-core:2.0-RC2'
  3. Run the script to create users and roles and get basic login working
  4. Install the cookie session plugin and using the settings I have provided

If we can't work through it, I may try to do exactly this and see if I can reproduce on a clean project for diagnostic purposes. Thanks again for the help!

benlucchesi commented 10 years ago

Ok, this is starting to make more sense now :)

I dug into session fixation prevention with another user sometime back and based on my reading of the session fixation strategy implementation, its not applicable when used with cookie session. The long and short of was to disable session fixation prevention and it should work fine.

Take a look at this thread and let me know if it makes sense to you... my explanation is at the very end.

https://github.com/benlucchesi/grails-cookie-session-v2/issues/17

I think what I need to do is detect when fixation prevention is enabled and output a warning in the logs :)

Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396

From: th3morg [notifications@github.com] Sent: Thursday, December 12, 2013 12:38 PM To: benlucchesi/grails-cookie-session-v2 Cc: Benjamin Lucchesi Subject: Re: [grails-cookie-session-v2] logout with spring-security enabled (#28)

Ben, Thank you for getting back to me so quickly and for the recommendation on serializer choice. I am indeed going to http://localhost:8080/logout (I have my app.context set to /). I determined that what is happening is that a Grails anonymous user authentication ends up getting saved after I log out (which I believe may be an issue due to how the Grails spring-security plugin handles anonymous users in 2.0). Then when I try to log back in, there is an existing session because that cookie was written. This cookie gets loaded into the session, so when SessionRepositoryRequestWrapper.getSession(true) is called within SessionFixationProtectionStrategy.applySessionFixation(), the session is not null and the new session with the newly authenticated user is not created. My expectation would be that SessionRepositoryRequestWrapper.getSession would also create a new session with something like "if( (session == null || !session.isValid()) && create )" so that invalidated sessions would al so result in a new session getting created. I would like to test this and then have you pull it in if it is a successful and logical implementation change.

Also, my spring config has the following:

springsecurity {
    sessionFixationPrevention {
        migrate = true
        alwaysCreateSession = true
    }

To reproduce this, I would expect that you would have do the following:

  1. Create a Grails 2.3.0 app
  2. Install spring-security-core: compile ':spring-security-core:2.0-RC2'
  3. Run the script to create users and roles and get basic login working
  4. Install the cookie session plugin and using the settings I have provided

If we can't work through it, I may try to do exactly this and see if I can reproduce on a clean project for diagnostic purposes. Thanks again for the help!

— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/28#issuecomment-30459405.

th3morg commented 10 years ago

This makes sense, I had done some reading about session fixation and sort of glazed over the fact that this is a bit unique in the fact that the entire session is indeed in this cookie (which is of course the entire point). I'll let you know if this doesn't solve my issue, but I expect it will. Thank you so much for being active on github and for providing a fantastic plugin. You've saved me a lot of time ;)

benlucchesi commented 10 years ago

no worries! glad is was an easy fix ;)

thanks for using the plugin!

Ben Lucchesi | Chief Software Architect | Granicus Inc. 600 Harrison Street, Suite 120 San Francisco, CA 94107 work: 415.357.3618 x1300 | fax: 415.618.0102 | cell: 775.250.3396

From: th3morg [notifications@github.com] Sent: Thursday, December 12, 2013 7:51 PM To: benlucchesi/grails-cookie-session-v2 Cc: Benjamin Lucchesi Subject: Re: [grails-cookie-session-v2] logout with spring-security enabled (#28)

This makes sense, I had done some reading about session fixation and sort of glazed over the fact that this is a bit unique in the fact that the entire session is indeed in this cookie (which is of course the entire point). I'll let you know if this doesn't solve my issue, but I expect it will. Thank you so much for being active on github and for providing a fantastic plugin. You've saved me a lot of time ;)

— Reply to this email directly or view it on GitHubhttps://github.com/benlucchesi/grails-cookie-session-v2/issues/28#issuecomment-30484513.