search cancel

Webapp session stealing from another user.

book

Article ID: 228165

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

We see the following strange behavior using the webApp.

Different clients receive the message when connecting to the webapp, before entering credentials: "session has been resumed"

At the bottom of the webconsole he saw the user ID of a colleague not his own and also https://localhost instead of the IP of the oneclick server.

We confirmed that the other user had been kicked out with "same session was started in another window" message. 

This is a security issue which is very serious for the customer.

Cause

OC webapp clients that connect via a load balancer. 

Environment

Release : 20.2

Component :

Resolution

Because Webwing is a stateful application server, to properly set up load balancing, you need to use sticky sessions. Sticky sessions will ensure a particular user will always be redirected to same webswing server, where his session is running.  Another common issue is an invalid configuration of the load balancer, that will not allow websocket http connection upgrade, which in fact amplifies the missing sticky session issue.

Please use sticky sessions on your load balancer.