Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15103

Session logoutbyHandle works with iPDP cookie as shandle

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Won't Fix
    • Affects Version/s: 6.0.0, 6.5.0, 6.5.0.1, 6.5.1, 6.5.0.2, 7.0.0
    • Fix Version/s: None
    • Component/s: rest, session
    • Labels:
      None

      Description

      Bug description

      LogoutbyHandle works with tokenIds

      How to reproduce the issue

      1. login as a user - capture the tokenId
      2. As an admin, get user's session handle
        curl -X GET 'http://openam.example.com:28080/openam/json/sessions?_fields=sessionHandle&_queryFilter=username%20eq%20%22demo%22%20and%20realm%20eq%20%22/%22' \
          -H 'Accept-API-Version: resource=3.1, protocol=1.0' \
          -H 'Content-Type: application/json' \
          -H 'iPlanetDirectoryPro: 9kZdHSIMrb4GUPQxsQf2CGy5wF4.*AAJTSQACMDEAAlNLABxDQWtDWmNTSUlDQUU0NEtPN3FFYWQ1TU5Scnc9AAR0eXBlAANDVFMAAlMxAAA.*'  
      3. Try to delete the user's session as admin using the logoutbyHandle action. However, this also works even if the tokenId is passed as shandle:
        with shandle:
        curl -X POST \
          'http://openam.example.com:28080/openam/json/sessions/?_action=logoutByHandle' \
          -H 'Content-Type: application/json' \
          -H 'iPlanetDirectoryPro: 9kZdHSIMrb4GUPQxsQf2CGy5wF4.*AAJTSQACMDEAAlNLABxDQWtDWmNTSUlDQUU0NEtPN3FFYWQ1TU5Scnc9AAR0eXBlAANDVFMAAlMxAAA.*' \
          -d '{
          "sessionHandles": [
            "shandle:5IvwfztMiobINDyOjA3ikshZqMM.*AAJTSQACMDEAAlNLABx1SlZJTjlTazlNRjhRSW5DMXErTDEzSVY1bnM9AAR0eXBlAANDVFMAAlMxAAA.*"
          ]
        }'
        

        or actual iPDP

          curl -X POST \
          'http://openam.example.com:28080/openam/json/sessions/?_action=logoutByHandle' \
          -H 'Content-Type: application/json' \
          -H 'iPlanetDirectoryPro: 9kZdHSIMrb4GUPQxsQf2CGy5wF4.*AAJTSQACMDEAAlNLABxDQWtDWmNTSUlDQUU0NEtPN3FFYWQ1TU5Scnc9AAR0eXBlAANDVFMAAlMxAAA.*' \
          -d '{
          "sessionHandles": [
            "shandle:sLSW5brBYYYI2FPVqifn0w7A2zQ.*AAJTSQACMDEAAlNLABx1SlZJTjlTazlNRjhRSW5DMXErTDEzSVY1bnM9AAR0eXBlAANDVFMAAlMxAAA.*"
          ]
        }'

        Both requests are successful

      Expected behaviour
      logoutbyHandle to work only with shandles
      
      Current behaviour
      logoutbyHandle works when shandle is the iDPD
      

      Although as admin you wouldn't know the tokenId anyway, I think the endpoint should validate the request body and work only with session handles.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              anastasios.kampas Tasos Kampas
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: