Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

concord-server: invalidate session on failed login #859

Merged
merged 4 commits into from
Jan 15, 2024
Merged

concord-server: invalidate session on failed login #859

merged 4 commits into from
Jan 15, 2024

Conversation

ibodrov
Copy link
Collaborator

@ibodrov ibodrov commented Jan 3, 2024

Apparently, 902e5f5 is not enough -- we need to invalidate the session as well.

@ibodrov ibodrov requested review from a team and removed request for a team January 3, 2024 22:27
@ibodrov ibodrov added the wip Work in progress, do not merge label Jan 3, 2024
brig
brig previously approved these changes Jan 3, 2024
View reviewed changes
@ibodrov ibodrov removed the wip Work in progress, do not merge label Jan 12, 2024
@ibodrov ibodrov requested a review from brig January 15, 2024 14:17
@ibodrov ibodrov merged commit de331c6 into master Jan 15, 2024
2 checks passed
@ibodrov ibodrov deleted the ib/misc5 branch January 15, 2024 17:24
ibodrov added a commit that referenced this pull request Apr 29, 2024
@ibodrov
concord-server: do not invalidate sessions in onFailedLogin
830e76e 
This effectively reverts #859. The change broke redirect after login
when the authentication times out (e.g. OIDC login). Unfortunaly, pax4j
stores the "from" parameter in the session so we need it alive when we
redirect the user between the app and the auth provider.

We might want to use a separate cookie or have a way to differentiate between
onLoginFailure reasons when we make a decision to invalidate the
session.
@ibodrov ibodrov mentioned this pull request Apr 29, 2024
Merged
ibodrov added a commit that referenced this pull request Apr 29, 2024
@ibodrov
concord-server: do not invalidate sessions in onFailedLogin
5135e6b 
This effectively reverts #859. The change broke redirect after login
when the authentication times out (e.g. OIDC login). Unfortunaly, pax4j
stores the "from" parameter in the session so we need it alive when we
redirect the user between the app and the auth provider.

We might want to use a separate cookie or have a way to differentiate between
onLoginFailure reasons when we make a decision to invalidate the
session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brig brig brig approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ibodrov @brig