Index: lams_central/src/java/org/lamsfoundation/lams/web/LoginAsController.java =================================================================== diff -u -re275beec5359edfddeab1b17564db7736c5ead0d -r01792e22e47468240e10ebec63a0a7af5e6dd592 --- lams_central/src/java/org/lamsfoundation/lams/web/LoginAsController.java (.../LoginAsController.java) (revision e275beec5359edfddeab1b17564db7736c5ead0d) +++ lams_central/src/java/org/lamsfoundation/lams/web/LoginAsController.java (.../LoginAsController.java) (revision 01792e22e47468240e10ebec63a0a7af5e6dd592) @@ -101,6 +101,7 @@ UniversalLoginModule.setAuthenticationToken(token); // redirect to login page request.setAttribute("redirectURL", "/lams/index.jsp"); + request.setAttribute("isLoginAs", true); return "login"; } } Index: lams_central/src/java/org/lamsfoundation/lams/web/controller/SignupController.java =================================================================== diff -u -r01c31091a1bc352d1149f67915d670a2101fbba2 -r01792e22e47468240e10ebec63a0a7af5e6dd592 --- lams_central/src/java/org/lamsfoundation/lams/web/controller/SignupController.java (.../SignupController.java) (revision 01c31091a1bc352d1149f67915d670a2101fbba2) +++ lams_central/src/java/org/lamsfoundation/lams/web/controller/SignupController.java (.../SignupController.java) (revision 01792e22e47468240e10ebec63a0a7af5e6dd592) @@ -186,6 +186,7 @@ HttpSession hses = request.getSession(); hses.setAttribute("login", login); hses.setAttribute("password", password); + hses.setAttribute("isSignup", true); response.sendRedirect("/lams/login.jsp?redirectURL=/lams"); return null; } Index: lams_central/web/login.jsp =================================================================== diff -u -rd0f91f196f94f7003b38aca363362a485065f70a -r01792e22e47468240e10ebec63a0a7af5e6dd592 --- lams_central/web/login.jsp (.../login.jsp) (revision d0f91f196f94f7003b38aca363362a485065f70a) +++ lams_central/web/login.jsp (.../login.jsp) (revision 01792e22e47468240e10ebec63a0a7af5e6dd592) @@ -191,8 +191,14 @@ if (hs != null) { UserDTO userDTO = (UserDTO) hs.getAttribute("user"); if (userDTO != null && !userDTO.getLogin().equals(request.getAttribute("login"))) { + Object isSignup = hs.getAttribute("isSignup"); // remove session from mapping SessionManager.removeSessionByLogin(userDTO.getLogin(), true); + + // tell SsoHandler about some previous session settings + hs = request.getSession(); + hs.setAttribute("isSignup", isSignup); + hs.setAttribute("isLoginAs", request.getAttribute("isLoginAs")); } } %> Index: lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java =================================================================== diff -u -rd0f91f196f94f7003b38aca363362a485065f70a -r01792e22e47468240e10ebec63a0a7af5e6dd592 --- lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision d0f91f196f94f7003b38aca363362a485065f70a) +++ lams_common/src/java/org/lamsfoundation/lams/integration/security/SsoHandler.java (.../SsoHandler.java) (revision 01792e22e47468240e10ebec63a0a7af5e6dd592) @@ -102,7 +102,7 @@ SsoHandler.setJvmRoute(request); } - // recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs + // recreate session here in case it was invalidated in login.jsp by sysadmin's LoginAs or other token password based call HttpSession session = request.getSession(); UserDTO loggedInUserDTO = (UserDTO) session.getAttribute(AttributeNames.USER); String loggedInLogin = loggedInUserDTO == null ? "" : loggedInUserDTO.getLogin() + " "; @@ -149,23 +149,24 @@ return; } - // LoginRequestServlet (integrations) and LoginAsAction (sysadmin) set this parameter - String redirectURL = request.getParameter("redirectURL"); - //bypass 2FA if using Login-as boolean isPasswordToken = password.startsWith("#LAMS"); - if (!isPasswordToken) { + if (!isPasswordToken && !Boolean.TRUE.equals(session.getAttribute("isSignup"))) { // check for CSRF attack only for regular logins // for LoginAs and integrations existing HTTP session gets invalidated and so is the CSRF token CsrfValidator csrfValidator = new CsrfValidator(); boolean isCsrfValid = csrfValidator.isValid(request, response); if (!isCsrfValid) { + SsoHandler.clearLoginSessionAttributes(session); throw new SecurityException("Login page does not have a valid CSRF token"); } } - boolean isUsingLoginAsFeature = isPasswordToken && StringUtils.equals(redirectURL, "/lams/index.jsp"); + boolean isUsingLoginAsFeature = isPasswordToken + && Boolean.TRUE.equals(session.getAttribute("isLoginAs")); + // LoginRequestServlet (integrations) and LoginAsAction (sysadmin) set this parameter + String redirectURL = request.getParameter("redirectURL"); // if user is not yet authorized and has 2FA shared secret set up - redirect him to // loginTwoFactorAuth.jsp to prompt user to enter his verification code (Time-based One-time Password) if (request.getRemoteUser() == null && user.isTwoFactorAuthenticationEnabled() @@ -239,6 +240,8 @@ } SsoHandler.logLogin(userDTO, request); + + SsoHandler.clearLoginSessionAttributes(session); } else { // clear after failed authentication, if it was set in LoginRequestServlet SsoHandler.clearLoginSessionAttributes(session); @@ -378,15 +381,10 @@ session.removeAttribute("password"); session.removeAttribute("redirectURL"); session.removeAttribute("integratedLogoutURL"); + session.removeAttribute("isSignup"); + session.removeAttribute("isLoginAs"); } -// private static void logLogout(UserDTO user) { -// String message = new StringBuilder("User ").append(user.getLogin()).append(" (").append(user.getUserID()) -// .append(") got logged out from another browser").toString(); -// SsoHandler.getLogEventService(SessionManager.getServletContext()).logEvent(LogEvent.TYPE_LOGOUT, -// user.getUserID(), user.getUserID(), null, null, message); -// } - private static IUserManagementService getUserManagementService(ServletContext context) { if (SsoHandler.userManagementService == null) { WebApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(context);