mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
42940a8828
- Login is based on sessionkey HttpOnly Cookie - ApiServlet does login verification using sessionKey from both the request cookies and the API parameters. In both cases, if either or both are passed they should match the sessionKey stored in the current session of the HttpRequest - UI: it no longer needs to read or set sessionkey cookie - UI: it no longer needs to return g_sessionKey value in the API requests, though to support a sso mechanism g_sessionKey is still passed in the API is not null - Secure jsessionid cookie is set to be HttpOnly and Secure - SAML login should also set HttpOnly cookie before redirecting to UI - SAML: listIdps & getSPMetadata APIs are readonly now, won't log out a logged in user Performed tests (login, saml login if applicable, page refreshes, opening multiple tabs, logout) with following combinations: - SAML disabled, normal auth as admin, domain-admin and user - SAML enabled, normal auth as admin, domain-admin and user; and saml sso as admin, domain-admin and user Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com> This closes #574 This closes #308