User 'A' was logged into Bitbucket Server via Crowd Authentication on Friday and left their computer running over the long weekend.
On Tuesday User 'A' went back to their computer and created a Pull Request in Bitbucket. The Pull Request was submitted as User 'B'. User 'A' then noticed their Avatar and profile were of User 'B' in Bitbucket and believes they were also the same in Confluence and Jira.
Crowd is configured for database storage and to expire tokens after 12 hours, however in this case the token did not expire, or did but User 'B' got the same token by chance and updated the expiration date when they logged in Tuesday before User 'A' did.
I checked the Crowd Session Cookie and it does not have an expiration date, it is set to to last as long as the browser session. If the browser session is left up for a long time this sounds like a problem.
Atlassian Standard Support provided only break/fix support, e.g. User 'A' logged out and logged back in again and were themselves so it is 'fixed'.
This is a much more concerning issue, this would seem to indicate that Crowd SSO is not secure enough for production use.
Anyone else seen this or have any thoughts?
Hi @Seoras Ray,
Our Crowd development team is looking into that issue and I will post an update as soon as I have more details on it.
Best Regards,
Marcin Kempa
Thank you for responding Marcin, I have replied via email with the ticket info.
Seoras
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Seoras Ray,
Indeed the situation you've described is not the way it should be. At the moment I am not aware of similar issues with Crowd SSO. However, I would like to understand it better, would you mind sending me the support ticket you are referring to. My email address is mkempa@atlassian.com.
Best Regards,
Marcin Kempa
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.