Canonical SSO provider

CRSF Warning Needs Conditions

Bug #530271 reported by Julien Funk on 2010-03-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical SSO provider	Fix Released	Medium	David Owen	Canonical SSO provider 2.6.0

Bug Description

The security fix that prevents CRSF forgeries should be tweaked. At the moment it is giving forgery messages when no forgery is attempted.

Steps to Reproduce:

1. On staging log out of SSO, then log into a consumer.
2. Ensure that you have a window of SSO open on the entry page
3. After logging into the consumer via SSO, stay logged in and go back to the login page of SSO
4. On the other window attempt to log in thorugh the original entry page

You will get a forgery message

Related branches

lp://staging/~canonical-isd-hackers/canonical-identity-provider/bug_530271_csrf

Merged into lp://staging/canonical-identity-provider/release at revision 49

Łukasz Czyżykowski (community): Approve on 2010-06-04

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-03-02:

We should look into the possibility of stacking forms in the session rather than only having one. The forms should definitely each have an independent (and relatively short) expiry time. This could be an issue for any user who is logged in to multiple sso-dependent sites after a browser crash/recovery if their sessions have expired in more than one of the sites.

Changed in canonical-identity-provider:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

Stuart Metcalfe (stuartmetcalfe) wrote on 2010-03-02:

The message should also be skinned in the main theme and the wording should be made more friendly.

Revision history for this message

Julien Funk (jaboing) wrote on 2010-03-29:

This failure is cropping up everywhere and rather frustrtaing at times for testing purposes.

Revision history for this message

Julien Funk (jaboing) wrote on 2010-03-29:

This has started showing up when logged into the admin interface and trying to access the regular login interface which breaks functionality of one of our testcases where Admin is supposed to logout when logged into SSO on the same browser.

Changed in canonical-identity-provider:
assignee:	nobody → Stuart Metcalfe (stuartmetcalfe)

Stuart Metcalfe (stuartmetcalfe) on 2010-04-22

Changed in canonical-identity-provider:
milestone:	none → 2.6.0

Revision history for this message

Dave Morley (davmor2) wrote on 2010-04-22:

It would also be useful if the error pages created were themed on staging, as the attack can't easily be recreated on production.

403 Forbidden

Cross Site Request Forgery detected. Request aborted.

Is what is currently displayed on a plain white page. It would be good to have this displayed on either and Ubuntu.com/Ubuntu sso themed page.

Stuart Metcalfe (stuartmetcalfe) on 2010-05-12

Changed in canonical-identity-provider:
assignee:	Stuart Metcalfe (stuartmetcalfe) → nobody

David Owen (dsowen) on 2010-05-24

Changed in canonical-identity-provider:
assignee:	nobody → David Owen (dsowen)

David Owen (dsowen) on 2010-05-25

Changed in canonical-identity-provider:
status:	Confirmed → In Progress

David Owen (dsowen) on 2010-05-26

Changed in canonical-identity-provider:
status:	In Progress → Confirmed

David Owen (dsowen) on 2010-06-01

Changed in canonical-identity-provider:
status:	Confirmed → In Progress

Łukasz Czyżykowski (lukasz-czyzykowski) on 2010-06-04

Changed in canonical-identity-provider:
status:	In Progress → Fix Committed

Julien Funk (jaboing) on 2010-06-07

Changed in canonical-isd-qa:
assignee:	nobody → Dave Morley (davmor2)

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-16:

need consumer switching on or admin access to test.

Changed in canonical-isd-qa:
status:	New → Incomplete

Revision history for this message

David Owen (dsowen) wrote on 2010-06-16: Re: [Bug 530271] Re: CRSF Warning Needs Conditions

On 06/16/2010 02:33 PM, Dave Morley wrote:
> need consumer switching on or admin access to test.

Try this:

1. Open the SSO service in one tab/window. If you're logged in, then
logout and open SSO again.

2. Open SSO in another tab/window.

You should now have two open tabs/windows, both pointing at SSO login.

3. Login in one window.

4. Login in the other.

Failure mode: 2nd login attempt reports a CSRF problem.

Success mode: 2nd login works same as the first.

This fails (as expected) for me on our production deploy.

It succeeds for me currently on our cloud deploy.

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-17:

User/Admin no longer has an issue you can login to each correctly.
Using the test consumer I see no issue either. Again the main test will be on staging.

Passing on EC2

Changed in canonical-isd-qa:
status:	Incomplete → Confirmed

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-21:

Working on Staging. No issues with any of the above.

Revision history for this message

Dave Morley (davmor2) wrote on 2010-06-22:

#10

This is working on Production

Changed in canonical-isd-qa:
status:	Confirmed → Fix Released

David Owen (dsowen) on 2010-06-23

Changed in canonical-identity-provider:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.