search

ironmansoftware / issues

Public Issue tracker for Ironman Software products.
https://ironmansoftware.com
32 stars 2 forks source link

session variable in apps not working as expected #3362

Closed ScheeleRxNL closed 3 weeks ago

ScheeleRxNL commented 1 month ago

Version

4.2.21

Severity

High

Environment

IIS

Steps to Reproduce

I am having trouble with session variable in my dashboard app. We have a privileged access management tool running which can be used with api's. I have created a dashboard with a session variable where the session info is stored for accessing the privileged access management tool. When my colleague is also login into the dashboard app he has mine session, so he used my credentials in his own browser session.

Expected behavior

When I read the documentation, I expexted when using the session variable scope that the session is stored in my own browser session and no one can use this session variable as they has their own session variable stored in their browser.

Actual behavior

I expect, as I think the documentation describes, that the session variable is per user browser session

Additional Environment data

No response

Screenshots/Animations

No response

adamdriscoll commented 1 month ago

Are you using a special module to access this PAM tool or are you just using Invoke-RestMethod?

ScheeleRxNL commented 1 month ago

It is an external module which is using his own variable (script scope) to store the websession with header for authentication. When an user has logged in with this module, the session will be put into a $session: variable in PSU. When another user logged in from his browser then the same thing happens. I expect the session variable for this user to be recreated, but it seems to overwrite it. When he has logged in i have his session data.

adamdriscoll commented 3 weeks ago

I can reproduce this. This is how I did it.

App: 

New-UDApp -Content {
    $Session:Val = New-Guid
    Set-MyModValue -Value $Session:Val

    New-UDButton -Text "Module" -OnClick {
        Show-UDToast (Get-MyModValue)
    }    

    New-UDButton -Text "Session" -OnClick {
        Show-UDToast $Session:Val
    }    
}

Module: 

function Set-MyModValue {
    param($Value) 

    $Script:Val = $Value
}

function Get-MyModValue {
    $Script:Val
}

The problem isn't actually the session variable but the module script scope. You can see by clicking the different buttons in the app. The session variable will be correct but the script scope variable will not. Runspaces are pooled in PSU apps so while we reset the runspace state with each execution, it doesn't catch everything. This is one of those circumstances. I would recommend avoiding the script scope for modules used in apps for this reason since it seems to retain the variable state even when a runspace is reset.