Idea ID: 2773425

Add validation of credentials passed by SSO session to track if credentials were changed

Status : Declined
over 1 year ago


Customer is using 3rd party proxy server, operator is authorizing on this server manually entering login and password. After that when operator accessing SM webtier, its credentials are passed to SM web client bypassing login page (SSO login to SM). After successful SSO login, SM creates new session for this user, lets call it user1.

Then operator logs out from 3rd party proxy server and re-login entering different credentials user2. After that he opens again SM webpage (he didn't close browser with previous SM session, log out from SM or open new session for new connection). Operator expects SM will open new session for user2 but instead continues to work in session for user1 as it wasn't closed and there was no relogin for user2.

Considering SSO will always pass operators name in its header but SM validates it only at login, customer claims for a mechanism to validate login passed by SSO after login and if it was changed (not null) as per scenario above logout user1 and start new session for user2.

One of possible workarounds is to use JSESSIONID=0  for every session from 3rd party proxy server, but even if workaround will be successfully implemented, it will open new session for user2, but the session for user1 will remain active until it would be cleared by session-timeout as there is no mechanism to force closing previous session when credentials were changed.