"Your session has expired" when inserting image
"Your session has expired" when inserting image
Hello,
I am using Web Author 26.1 version. Web Author is linked to a CMS.
We have a DITA environment in which users can insert media from the CMS. The insertions work well for videos but for images, the user frequently gets the "A problem has occured, Your session has expired" dialog box.
If I look at the cookies in Chrome's development tools, it seems to me that the request https://ourdomain/web-author-component/ ... -media-url invalidates the Web author session cookie
Indeed, the request responds
Do you have any idea about this issue?
Thanks,
Johann
I am using Web Author 26.1 version. Web Author is linked to a CMS.
We have a DITA environment in which users can insert media from the CMS. The insertions work well for videos but for images, the user frequently gets the "A problem has occured, Your session has expired" dialog box.
If I look at the cookies in Chrome's development tools, it seems to me that the request https://ourdomain/web-author-component/ ... -media-url invalidates the Web author session cookie
Indeed, the request responds
- image.png (5.37 KiB) Viewed 317 times
Thanks,
Johann
-
Bogdan Dumitru
- Site Admin
- Posts: 158
- Joined: Tue Mar 20, 2018 5:28 pm
Re: "Your session has expired" when inserting image
Hello Johann,
I think that this is caused by a security feature of the product, a protection against session fixation attacks. If the application sense that a user session is authenticated to a file server, it changes the session cookie so that if an attacker fixates his cookie to a victim and lure the victim to authenticate, the attacker won't be able to use that cookie anymore.
Normally, for a regular usage of the application, this is not a problem. When the user authenticates, the response updates the session cookie to the browser and subsequent requests will use that cookie and will work. The only problem that may appear: if between the point when the server generates a new cookie session and sends it to the client (via request response) and the point when the client receives the response and applies the new cookie, a parallel request is made, a request containing the old session cookie. The parallel request made with the old session cookie are not fulfilled. But normally during authentication there is no other requests flying around.
One of the cases when the application sense that a user session is authenticated to a file server is when the ro.sync.ecss.extensions.api.webapp.SessionStore.put(String, String, T) API is used. The application doesn't know what data is stored on the session and by default considers everything as a potential authentication information.
If you store information on SessionStore that do not elevates user's permissions or do not authenticate user's session, use ro.sync.ecss.extensions.api.webapp.SessionStore.putWithoutSessionCookieRefresh(String, String, T) API method that explicitly do not lead to the session cookie to be refreshed.
I think that this is caused by a security feature of the product, a protection against session fixation attacks. If the application sense that a user session is authenticated to a file server, it changes the session cookie so that if an attacker fixates his cookie to a victim and lure the victim to authenticate, the attacker won't be able to use that cookie anymore.
Normally, for a regular usage of the application, this is not a problem. When the user authenticates, the response updates the session cookie to the browser and subsequent requests will use that cookie and will work. The only problem that may appear: if between the point when the server generates a new cookie session and sends it to the client (via request response) and the point when the client receives the response and applies the new cookie, a parallel request is made, a request containing the old session cookie. The parallel request made with the old session cookie are not fulfilled. But normally during authentication there is no other requests flying around.
One of the cases when the application sense that a user session is authenticated to a file server is when the ro.sync.ecss.extensions.api.webapp.SessionStore.put(String, String, T) API is used. The application doesn't know what data is stored on the session and by default considers everything as a potential authentication information.
If you store information on SessionStore that do not elevates user's permissions or do not authenticate user's session, use ro.sync.ecss.extensions.api.webapp.SessionStore.putWithoutSessionCookieRefresh(String, String, T) API method that explicitly do not lead to the session cookie to be refreshed.
Bogdan Dumitru
http://www.oxygenxml.com
http://www.oxygenxml.com