Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Duplicate Session Tokens - User was logged in as another User!

Seoras Ray
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 21, 2018

User 'A' was logged into Bitbucket Server via Crowd Authentication on Friday and left their computer running over the long weekend.

On Tuesday User 'A' went back to their computer and created a Pull Request in Bitbucket. The Pull Request was submitted as User 'B'. User 'A' then noticed their Avatar and profile were of User 'B' in Bitbucket and believes they were also the same in Confluence and Jira.

Crowd is configured for database storage and to expire tokens after 12 hours, however in this case the token did not expire, or did but User 'B' got the same token by chance and updated the expiration date when they logged in Tuesday before User 'A' did.

I checked the Crowd Session Cookie and it does not have an expiration date, it is set to to last as long as the browser session. If the browser session is left up for a long time this sounds like a problem.

Atlassian Standard Support provided only break/fix support, e.g. User 'A' logged out and logged back in again and were themselves so it is 'fixed'.

This is a much more concerning issue, this would seem to indicate that Crowd SSO is not secure enough for production use.

Anyone else seen this or have any thoughts?

1 comment

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 21, 2018

Hi @Seoras Ray,

 

Indeed the situation you've described is not the way it should be. At the moment I am not aware of similar issues with Crowd SSO. However, I would like to understand it better, would you mind sending me the support ticket you are referring to. My email address is mkempa@atlassian.com.

 

Best Regards,

Marcin Kempa

Seoras Ray
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
February 21, 2018

Thank you for responding Marcin, I have replied via email with the ticket info.

Seoras

Marcin Kempa
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 21, 2018

Hi @Seoras Ray,

 

Our Crowd development team is looking into that issue and I will post an update as soon as I have more details on it.

 

Best Regards,

Marcin Kempa

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events