Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Session returned to the wrong ARCitect processus after login #297

Open
Tom-TBT opened this issue Nov 7, 2024 · 4 comments
Open

[BUG] Session returned to the wrong ARCitect processus after login #297

Tom-TBT opened this issue Nov 7, 2024 · 4 comments
Assignees
Labels
Type: Bug Something is not working, and it is confirmed by maintainers to be a bug.

Comments

@Tom-TBT
Copy link

Tom-TBT commented Nov 7, 2024

OS and framework information (please complete the following information):

  • OS: Windows Server 2016

Describe the bug
On a Windows server, two users have a session open. The first starts ARCitect and logs in, everything is working normally.

When the second user starts ARCitect and logs in, there is no error shown, but no login appears on the ARCitect. Instead, the first user has obtained the session from the second without his awareness (the display username changes in the ARCitect of the first).

I guess that the session is returned to the first ARCitect processus found.

So if someone forgets to close ARCitect, that person will then prevent anyone else from using ARCitect on the system; but this is more of a security concern to me.

@github-actions github-actions bot added the Status: Needs Triage This item is up for investigation. label Nov 7, 2024
@JonasLukasczyk JonasLukasczyk self-assigned this Nov 19, 2024
@JonasLukasczyk JonasLukasczyk added Type: Bug Something is not working, and it is confirmed by maintainers to be a bug. and removed Status: Needs Triage This item is up for investigation. labels Nov 19, 2024
@JonasLukasczyk
Copy link
Collaborator

JonasLukasczyk commented Nov 19, 2024

Thank you for raising this issue but ARCitect was not intended to support this usage scenario. The problem is that ARCitect relies on the standard oauth2 authentification process which shares the browser cache. I will try a workaround though that setups a separate cache per ARCitect instance. The downside is that after every ARCitect restart the user will have to enter the credentials again.

I also have a related question: in your usage scenario can both users login on the github / datahub webpage with their respective accounts? At the same time of course. I'm not familiar enough with windows server.

@Tom-TBT
Copy link
Author

Tom-TBT commented Nov 19, 2024

To describe in more detail, we have a Windows server on a very large processing station. Windows server allows concurrent users to log into their account and do whatever in their Windows account.

-> Maybe there's the same issue with "Switching users" in Windows.

Note also, when I saw the bug described here, we were using the ARCitect app from the same folder (a folder with shared apps between users). Could have its importance, I have zero idea how the app works.

I'd have to reproduce the issue with someone to tell you more about sessions in browser.

The problem is that ARCitect relies on the standard oauth2 authentification process which shares the browser cache

I'm all in for single sign-on, but if that means throwing session tokens to the first app that requests it, it's probably not worth it.

@Brilator
Copy link
Member

Brilator commented Nov 20, 2024

-> Maybe there's the same issue with "Switching users" in Windows.

It's also an issue on macOS:

  1. Open ARCitect
  2. Leave ARCitect open and switch user
  3. Try to open ARCitect from other user, see error:
Screenshot 2024-11-20 at 13 45 37

I can click ok and keep working with ARCitect.

@joshmoore
Copy link

As a wild guess, if a fixed port is being used to start up the local oauth handler, Windows may silently permit reusing the port while OS loudly objects. If so, even using a random port may not suffice in that a malicious client could try multiple ports to steal credentials. Possible passing a token from the client to the proxy would suffice, but I imagine there are safer ways to do it.

Note: this issue might should be moved to a private secvuln repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Type: Bug Something is not working, and it is confirmed by maintainers to be a bug.
Projects
Status: No status
Development

No branches or pull requests

4 participants