Security Advisory: User changes and user session updates

Sessions of users logged-in to midPoint user interface are unaffected by the change of user profiles - until users log in again. E.g. Logged-in user will stay active even if user profile is disabled. Logged-in user can use privileges even if a role is revoked during validity of user session.

As user privileges and not revoked immediately, there is an "interval of vulnerability" during which user could use privileges that are no longer valid for that user.

Partial solution for the problem is provided in midPoint 4.0: administrator can explicitly delete sessions of affected user. There is a new "Logged-in users" page under "Internals configuration".

At the time when midPoint started such handling of user sessions was a common practice in almost all web applications. Therefore this request is, strictly speaking, not a bug report. It is closer to a feature request. And up until now there was no request from any of midPoint subscribers or users to change this behavior. And that was the reason that midPoint works like it worked many years ago.

However, we fully acknowledge that time are changing and that there is now a need to a higher standard of security and convenience. Therefore we have decided that even though this feature was not explicitly request by any midPoint subscriber, we will plan to integrate it into midPoint roadmap. Unfortunately there is no simple solution at the moment. MidPoint deployments are often clustered, which means that user sessions are distributed across several nodes. The situation is further complicated by frequent changes to user objects. Aggressive implementation of session invalidation would cause a severe performance impact. Therefore we have decided to provide a partial stop-gap solution in midPoint 4.0, which will be followed by improvements in subsequent midPoint releases.

This issue was reported by Tauheed Khan by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.