Issue
- There are some security configuration requirement regarding session management.
Environment
- Liferay DXP 7.4
Resolution
- Application uses the 'referrer' header as a supplemental check only, and not just for any authorization check.
- Liferay does not rely on the referrer header for any security purpose as this would not be secure, nor reliable because many browsers will not send that header. With this note, it is confirmed that the 'referrer' header is not used for authorization checks.
- For any long authenticated sessions allowed, the application periodically re-validate a user’s authorization to ensure that their privileges have not changed and if they have, the user is logged out and forced to re-authenticate.
- Authorization changes for any authenticated users are applied in real-time and wouldn't require the logout and re-authenticate.
- The application supports disabling of accounts and terminating sessions when authorization ceases (e.g., Changes to role).
- Liferay disables the account in real-time with a message
your account with login testuser@liferay.com is not active. Please contact the administrator for more helpif the user is de-activated by the admin user, however, the session will still be active but the disabled user won't be able to perform any action.
- Liferay disables the account in real-time with a message
Additional Information
- Please submit the HC ticket if any more information is required on this.
Subscriber Exclusive Content
A Liferay Enterprise Subscription provides access to over 1,500 articles that include best practices, troubleshooting, and other valuable solutions. Sign in for full access.
Sign In