FishEye and Crucible

Issue 4909 was due to a security concern - reverting the change means reintroducing the security concern (session ID reuse). If the code doesn't work then it's a string reason to change something, but we shouldn't leave this hanging.

Do you either disagree with the original security concern, or have a proposal for a different way to handle this concern?

A bit more detail on this:

"Session fixation attacks are possible on a shared desktop where a attacker
pregenerates an INVALID session and then tricks a valid user to authenticate.
As a result both the attacker and the valid user have a valid session.
Automated vulnerability testers like WhiteHat flag this issue as a security hole."

An alternate fix was proposed at the same time:

"b) Use hidden fields to maintain pre-authn state - instead of a invalid session
on the server."

PS: There should be a JIRA issue linked to this, right?

We believe the original security attack is false.

"shared desktop where a attacker pregenerates an INVALID session and then tricks a valid user to authenticate. "

You cannot pregenerate an INVALID session, you can generate a OpenAM session that's state is invalid. Typically you will have 120 seconds to do the following:

a) The attacker accesses the Auth UI
b) The attacker captures the SSOTokenID by writing down the SSOTokenID
c) The attacker then finds someone to login within the amount of time left who failed to see this from happening.

We just don't see this as a realistic attack vector and the fix was to break the original OpenAM architecture.

If this commit stays in trunk, then it is really critical to fix OPENAM-89 for the next release.