It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage
Highlighted

Duplicate Session Tokens - User was logged in as another User!

User 'A' was logged into Bitbucket Server via Crowd Authentication on Friday and left their computer running over the long weekend.

On Tuesday User 'A' went back to their computer and created a Pull Request in Bitbucket. The Pull Request was submitted as User 'B'. User 'A' then noticed their Avatar and profile were of User 'B' in Bitbucket and believes they were also the same in Confluence and Jira.

Crowd is configured for database storage and to expire tokens after 12 hours, however in this case the token did not expire, or did but User 'B' got the same token by chance and updated the expiration date when they logged in Tuesday before User 'A' did.

I checked the Crowd Session Cookie and it does not have an expiration date, it is set to to last as long as the browser session. If the browser session is left up for a long time this sounds like a problem.

Atlassian Standard Support provided only break/fix support, e.g. User 'A' logged out and logged back in again and were themselves so it is 'fixed'.

This is a much more concerning issue, this would seem to indicate that Crowd SSO is not secure enough for production use.

Anyone else seen this or have any thoughts?

1 comment

Marcin Kempa Atlassian Team Feb 21, 2018

Hi @Seoras_Ray,

 

Indeed the situation you've described is not the way it should be. At the moment I am not aware of similar issues with Crowd SSO. However, I would like to understand it better, would you mind sending me the support ticket you are referring to. My email address is mkempa@atlassian.com.

 

Best Regards,

Marcin Kempa

Thank you for responding Marcin, I have replied via email with the ticket info.

Seoras

Marcin Kempa Atlassian Team Feb 21, 2018

Hi @Seoras_Ray,

 

Our Crowd development team is looking into that issue and I will post an update as soon as I have more details on it.

 

Best Regards,

Marcin Kempa

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Next-gen

Keyboard shortcuts have arrived for next-gen projects!

...ollected feedback from users around the lack of shortcuts, and we’re here to address that: In next-gen projects, I miss the keyboard shortcuts badly. This is particularly true on the Board, but also i...

157 views 1 2
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you