Impact
When logging in as an active user, another Rudder user with access to configure my user account could do so while I'm still using Rudder. They could disable or delete, change password and remove or add roles. These actions could be security-sensitive in many ways (I could still access or modify data in Rudder, or I could have changed password because my old one leaked). However my browser session is still the same and I can still use Rudder as long as it is open : until it expires or the Rudder server restarts.
A disabled or deleted user should have its session expire instantly and should not be able to still use Rudder.
This should also be enforced when changing password and changing rights in Rudder.
For users with administrator rights (at least administrator_read), the session is not required to expire instantly because they are considered to have a sufficient level of privileges in Rudder to take action, in that case restarting the Rudder server is the solution to expire administrator sessions.
Note: API access is not affected and a user's API tokens are immediately unusable after user is disabled or deleted.
Patches
Workarounds
Restarting the Web application service with systemctl restart rudder-jetty destroys all active sessions, thus preventing any access from disabled or removed user accounts.
References
Impact
When logging in as an active user, another Rudder user with access to configure my user account could do so while I'm still using Rudder. They could disable or delete, change password and remove or add roles. These actions could be security-sensitive in many ways (I could still access or modify data in Rudder, or I could have changed password because my old one leaked). However my browser session is still the same and I can still use Rudder as long as it is open : until it expires or the Rudder server restarts.
A disabled or deleted user should have its session expire instantly and should not be able to still use Rudder.
This should also be enforced when changing password and changing rights in Rudder.
For users with administrator rights (at least
administrator_read), the session is not required to expire instantly because they are considered to have a sufficient level of privileges in Rudder to take action, in that case restarting the Rudder server is the solution to expire administrator sessions.Note: API access is not affected and a user's API tokens are immediately unusable after user is disabled or deleted.
Patches
Workarounds
Restarting the Web application service with
systemctl restart rudder-jettydestroys all active sessions, thus preventing any access from disabled or removed user accounts.References