User 'A' was logged into Bitbucket Server via Crowd Authentication on Friday and left their computer running over the long weekend.
On Tuesday User 'A' went back to their computer and created a Pull Request in Bitbucket. The Pull Request was submitted as User 'B'. User 'A' then noticed their Avatar and profile were of User 'B' in Bitbucket and believes they were also the same in Confluence and Jira.
Crowd is configured for database storage and to expire tokens after 12 hours, however in this case the token did not expire, or did but User 'B' got the same token by chance and updated the expiration date when they logged in Tuesday before User 'A' did.
I checked the Crowd Session Cookie and it does not have an expiration date, it is set to to last as long as the browser session. If the browser session is left up for a long time this sounds like a problem.
Atlassian Standard Support provided only break/fix support, e.g. User 'A' logged out and logged back in again and were themselves so it is 'fixed'.
This is a much more concerning issue, this would seem to indicate that Crowd SSO is not secure enough for production use.
Anyone else seen this or have any thoughts?
Thank you for responding Marcin, I have replied via email with the ticket info.
Seoras
Hi @Seoras Ray,
Our Crowd development team is looking into that issue and I will post an update as soon as I have more details on it.
Best Regards,
Marcin Kempa