Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15536

Sessions API - logoutByHandle returns true for invalid sessions

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.5.1, 6.0.0, 6.5.1, 6.5.2, 6.5.2.1
    • Fix Version/s: None
    • Component/s: session
    • Labels:
    • Support Ticket IDs:

      Description

      Bug description

      logoutByHandle returns true even if the session handle doesn't exist. The requirement is better handling of invalid/expired sessions or sessions that are not logged out (for any reason). When the length of the session is invalid, a 500 error returns.

      How to reproduce the issue

      1. Login is demo
      2. Login is amadmin and query the demo session handles
        curl -X GET \
         'http://openam.example.com:18080/openam/json/realms/root/sessions?_fields=sessionHandle&_queryFilter=username%20eq%20%22demo%22%20and%20realm%20eq%20%22/%22' \
          -H 'Content-Type: application/json' \
          -H 'iPlanetDirectoryPro: DDQrTo1y5pzi_ZtI0bcXwDZw8JQ.*AAJTSQACMDEAAlNLABxPeXF6TnB2SUlwYlY3T3NqY0pDOWNBTWNVZXc9AAR0eXBlAANDVFMAAlMxAAA.*'
        
        {
           "result":[
              {
                 "_rev":"290117257",
                 "sessionHandle":"shandle:ffeNMattLQ-C_T0iH1aY_bO_ZMc.*AAJTSQACMDEAAlNLABxkdERxVmZiaVY4MmVock1MNlZhVEpKSFI0Z0k9AAR0eXBlAANDVFMAAlMxAAA.*"
              }
           ],
           "resultCount":1,
           "pagedResultsCookie":null,
           "totalPagedResultsPolicy":"NONE",
           "totalPagedResults":-1,
           "remainingPagedResults":-1
        }
        
      3. Now try to logout with 3 invalid sessions (first is with some characters changed before the dot, second is with characters changed after the dot and third one is a made up session)
         curl -X POST "http://openam.example.com:18080/openam/json/sessions?_action=logoutByHandle" -H  "accept: application/json" -H  "Accept-API-Version: resource=3.1" -H  "Content-Type: application/json" -H  "X-Requested-With: SwaggerUI" -d "{  \"sessionHandles\": [
        \"shandle:aaeNMattLQ-C_T0iH1aY_bO_ZMc.*AAJTSQACMDEAAlNLABxkdERxVmZiaVY4MmVock1MNlZhVEpKSFI0Z0k9AAR0eXBlAANDVFMAAlMxAAA.*\",
        \"shandle:aaeNMattLQ-C_T0iH1aY_bO_ZMc.*AAJTSQACMDEAAlNLABxkdERxVmZiaVY4MmVock1MNlZhVEpKSFI0Z0k8AAR0eXBlAANDVFMAAlMxAAA.*\",
        \"shandle:AQIC5cM2LY4Sfcz3qAgf7_aI3yXozEC2p-_qPvHHalcVj_k.*AAJTSQACMDIAAlNLABM3Mzk2NjkzMkU2NTQzNTY1NTUyAAJTMQACMDE.*\"  ]}" 
        {
          "result": {
            "shandle:aaeNMattLQ-C_T0iH1aY_bO_ZMc.*AAJTSQACMDEAAlNLABxkdERxVmZiaVY4MmVock1MNlZhVEpKSFI0Z0k9AAR0eXBlAANDVFMAAlMxAAA.*": true,
            "shandle:aaeNMattLQ-C_T0iH1aY_bO_ZMc.*AAJTSQACMDEAAlNLABxkdERxVmZiaVY4MmVock1MNlZhVEpKSFI0Z0k8AAR0eXBlAANDVFMAAlMxAAA.*": true,
            "shandle:AQIC5cM2LY4Sfcz3qAgf7_aI3yXozEC2p-_qPvHHalcVj_k.*AAJTSQACMDIAAlNLABM3Mzk2NjkzMkU2NTQzNTY1NTUyAAJTMQACMDE.*": true
          }
        }
        
      Expected behaviour
      False to return since given sessions are not valid
      Current behaviour
      True returns for invalid sessions
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              anastasios.kampas Tasos Kampas
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: