"Your session has expired" when inserting image
Having trouble deploying Oxygen XML Web Author? Got a bug to report? Post it all here.
-
Johann
- Posts: 240
- Joined: Wed Jun 17, 2015 12:46 pm
"Your session has expired" when inserting image
Hello,
I am using Web Author 26.1 version. Web Author is linked to a CMS.
We have a DITA environment in which users can insert media from the CMS. The insertions work well for videos but for images, the user frequently gets the "A problem has occured, Your session has expired" dialog box.
If I look at the cookies in Chrome's development tools, it seems to me that the request https://ourdomain/web-author-component/ ... -media-url invalidates the Web author session cookie
Indeed, the request responds
Thanks,
Johann
I am using Web Author 26.1 version. Web Author is linked to a CMS.
We have a DITA environment in which users can insert media from the CMS. The insertions work well for videos but for images, the user frequently gets the "A problem has occured, Your session has expired" dialog box.
If I look at the cookies in Chrome's development tools, it seems to me that the request https://ourdomain/web-author-component/ ... -media-url invalidates the Web author session cookie
Indeed, the request responds
image.png
Do you have any idea about this issue?Thanks,
Johann
You do not have the required permissions to view the files attached to this post.
-
Bogdan Dumitru
- Site Admin
- Posts: 172
- Joined: Tue Mar 20, 2018 5:28 pm
Re: "Your session has expired" when inserting image
Post by Bogdan Dumitru »
Hello Johann,
I think that this is caused by a security feature of the product, a protection against session fixation attacks. If the application sense that a user session is authenticated to a file server, it changes the session cookie so that if an attacker fixates his cookie to a victim and lure the victim to authenticate, the attacker won't be able to use that cookie anymore.
Normally, for a regular usage of the application, this is not a problem. When the user authenticates, the response updates the session cookie to the browser and subsequent requests will use that cookie and will work. The only problem that may appear: if between the point when the server generates a new cookie session and sends it to the client (via request response) and the point when the client receives the response and applies the new cookie, a parallel request is made, a request containing the old session cookie. The parallel request made with the old session cookie are not fulfilled. But normally during authentication there is no other requests flying around.
One of the cases when the application sense that a user session is authenticated to a file server is when the ro.sync.ecss.extensions.api.webapp.SessionStore.put(String, String, T) API is used. The application doesn't know what data is stored on the session and by default considers everything as a potential authentication information.
If you store information on SessionStore that do not elevates user's permissions or do not authenticate user's session, use ro.sync.ecss.extensions.api.webapp.SessionStore.putWithoutSessionCookieRefresh(String, String, T) API method that explicitly do not lead to the session cookie to be refreshed.
I think that this is caused by a security feature of the product, a protection against session fixation attacks. If the application sense that a user session is authenticated to a file server, it changes the session cookie so that if an attacker fixates his cookie to a victim and lure the victim to authenticate, the attacker won't be able to use that cookie anymore.
Normally, for a regular usage of the application, this is not a problem. When the user authenticates, the response updates the session cookie to the browser and subsequent requests will use that cookie and will work. The only problem that may appear: if between the point when the server generates a new cookie session and sends it to the client (via request response) and the point when the client receives the response and applies the new cookie, a parallel request is made, a request containing the old session cookie. The parallel request made with the old session cookie are not fulfilled. But normally during authentication there is no other requests flying around.
One of the cases when the application sense that a user session is authenticated to a file server is when the ro.sync.ecss.extensions.api.webapp.SessionStore.put(String, String, T) API is used. The application doesn't know what data is stored on the session and by default considers everything as a potential authentication information.
If you store information on SessionStore that do not elevates user's permissions or do not authenticate user's session, use ro.sync.ecss.extensions.api.webapp.SessionStore.putWithoutSessionCookieRefresh(String, String, T) API method that explicitly do not lead to the session cookie to be refreshed.
Bogdan Dumitru
http://www.oxygenxml.com
http://www.oxygenxml.com
Jump to
- Oxygen XML Editor/Author/Developer
- ↳ Feature Request
- ↳ Common Problems
- ↳ DITA (Editing and Publishing DITA Content)
- ↳ SDK-API, Frameworks - Document Types
- ↳ DocBook
- ↳ TEI
- ↳ XHTML
- ↳ Other Issues
- Oxygen XML Web Author
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Content Fusion
- ↳ Feature Request
- ↳ Common Problems
- Oxygen JSON Editor
- ↳ Feature Request
- ↳ Common Problems
- Oxygen PDF Chemistry
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Feedback
- ↳ Feature Request
- ↳ Common Problems
- Oxygen XML WebHelp
- ↳ Feature Request
- ↳ Common Problems
- XML
- ↳ General XML Questions
- ↳ XSLT and FOP
- ↳ XML Schemas
- ↳ XQuery
- NVDL
- ↳ General NVDL Issues
- ↳ oNVDL Related Issues
- XML Services Market
- ↳ Offer a Service