Issue
- There are some security configuration requirement regarding session management.
Environment
- Liferay DXP 7.4
Resolution
- Application uses the 'referrer' header as a supplemental check only, and not just for any authorization check.
- Liferay does not rely on the referrer header for any security purpose as this would not be secure, nor reliable because many browsers will not send that header. With this note, it is confirmed that the 'referrer' header is not used for authorization checks.
- For any long authenticated sessions allowed, the application periodically re-validate a user’s authorization to ensure that their privileges have not changed and if they have, the user is logged out and forced to re-authenticate.
- Authorization changes for any authenticated users are applied in real-time and wouldn't require the logout and re-authenticate.
- The application supports disabling of accounts and terminating sessions when authorization ceases (e.g., Changes to role).
- Liferay disables the account in real-time with a message
your account with login testuser@liferay.com is not active. Please contact the administrator for more helpif the user is de-activated by the admin user, however, the session will still be active but the disabled user won't be able to perform any action.
- Liferay disables the account in real-time with a message
Additional Information
- Please submit the HC ticket if any more information is required on this.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar