Issue
- There are some security configuration requirement regarding session management.
Environment
- Liferay DXP 7.4
Resolution
- Application uses the 'referrer' header as a supplemental check only, and not just for any authorization check.
- Liferay does not rely on the referrer header for any security purpose as this would not be secure, nor reliable because many browsers will not send that header. With this note, it is confirmed that the 'referrer' header is not used for authorization checks.
- For any long authenticated sessions allowed, the application periodically re-validate a user’s authorization to ensure that their privileges have not changed and if they have, the user is logged out and forced to re-authenticate.
- Authorization changes for any authenticated users are applied in real-time and wouldn't require the logout and re-authenticate.
- The application supports disabling of accounts and terminating sessions when authorization ceases (e.g., Changes to role).
- Liferay disables the account in real-time with a message
your account with login testuser@liferay.com is not active. Please contact the administrator for more helpif the user is de-activated by the admin user, however, the session will still be active but the disabled user won't be able to perform any action.
- Liferay disables the account in real-time with a message
Additional Information
- Please submit the HC ticket if any more information is required on this.
Contenido exclusivo para suscriptores.
Una Suscripción Enterprise de Liferay proporciona acceso a más de 1.500 artículos que incluyen las mejores practicas, diagnóstico de problemas y otras soluciones útiles. Inicia sesión para tener un acceso completo.
Inicia sesión