add optional nonce to permit distinguishing multiple simultaneous auth using the same username
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
2.5 |
Fix Released
|
Undecided
|
Unassigned | ||
2.6 |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
If multiple login attempts are made using the same username within a
very short period of time, a race condition exists where, upon
completion of the first login, the auth init cache data for any pending
logins are removed, since there can only be one instance of cached init
data per username.
This has been observed with the SIP2 gateway when multiple devices have
been configured to use the same account. Consequences include:
- failed logins
- incrementing of the failed login counter, which can ultimately lock out
all of the devices that use a given username to authenticate
In principle, the race condition could also affect public web services that
do authentication as part of initialization.
Evergreen master
Changed in evergreen: | |
importance: | Undecided → Medium |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
Two patches to add support for a login nonce and make the SIP gateway use it are available at the tip of the user/gmcharlt/ lp134871_ auth_login_ nonce branch in the working/Evergreen repository:
http:// git.evergreen- ils.org/ ?p=working/ Evergreen. git;a=shortlog; h=refs/ heads/user/ gmcharlt/ lp134871_ auth_login_ nonce