Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Duplicate
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Security
-
Labels:None
-
Environment:nexus-professional-2.0-20120119.133103-13-bundle
-
Story Points:2
Description
I tracked this down to cookies do not typically set the port. So per RFC can be sent to a different server as long as the host name is the same.
http://stackoverflow.com/questions/1612177/are-http-cookies-port-specific
Setting the port in the cookie may cause other issues with browsers (and how does this play with firewalls and proxies)
One simple solution is to make the cookie name configurable. If we ever switch to shiro-guice (which will remove a bunch of other code) we could easily inject/configure the cookie name.
Or if we are going to keep our boiler plate code, we could configure the cookie name in org.sonatype.nexus.security.NexusWebRealmSecurityManager.init() to call webSessionManager.setSessionIdCookie(...)
Original Setup:
I started two nexus pro instances locally.
Nexus A - http://lcaolhost:8081/nexus - publisher
Nexus B - http://localhost:8082/nexus - subscriberEstablished a Smart Proxy trust between A and B.
Created apache-snapshots-proxy repo on Nexus B proxied to Nexus A http://localhost:8081/nexus/content/repositories/apache-snapshots
Besides logging into the UI only a few times I noticed the following after a short while in the Nexus B logs:
jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Validating all active sessions...
jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Finished session validation. [274] sessions were stopped.
Nexus A seemed to have 169 sessions cleaned up.
How is it that 274 sessions were created? Are these being created by smart proxy?
Attachments
Issue Links
- is superceded by
-
NEXUS-7880 change the default Nexus session cookie name
-
- Closed
-