-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Session returned to the wrong ARCitect processus after login #297
Comments
Thank you for raising this issue but ARCitect was not intended to support this usage scenario. The problem is that ARCitect relies on the standard oauth2 authentification process which shares the browser cache. I will try a workaround though that setups a separate cache per ARCitect instance. The downside is that after every ARCitect restart the user will have to enter the credentials again. I also have a related question: in your usage scenario can both users login on the github / datahub webpage with their respective accounts? At the same time of course. I'm not familiar enough with windows server. |
To describe in more detail, we have a Windows server on a very large processing station. Windows server allows concurrent users to log into their account and do whatever in their Windows account. -> Maybe there's the same issue with "Switching users" in Windows. Note also, when I saw the bug described here, we were using the ARCitect app from the same folder (a folder with shared apps between users). Could have its importance, I have zero idea how the app works. I'd have to reproduce the issue with someone to tell you more about sessions in browser.
I'm all in for single sign-on, but if that means throwing session tokens to the first app that requests it, it's probably not worth it. |
As a wild guess, if a fixed port is being used to start up the local oauth handler, Windows may silently permit reusing the port while OS loudly objects. If so, even using a random port may not suffice in that a malicious client could try multiple ports to steal credentials. Possible passing a token from the client to the proxy would suffice, but I imagine there are safer ways to do it. Note: this issue might should be moved to a private secvuln repo. |
OS and framework information (please complete the following information):
Describe the bug
On a Windows server, two users have a session open. The first starts ARCitect and logs in, everything is working normally.
When the second user starts ARCitect and logs in, there is no error shown, but no login appears on the ARCitect. Instead, the first user has obtained the session from the second without his awareness (the display username changes in the ARCitect of the first).
I guess that the session is returned to the first ARCitect processus found.
So if someone forgets to close ARCitect, that person will then prevent anyone else from using ARCitect on the system; but this is more of a security concern to me.
The text was updated successfully, but these errors were encountered: