Session collision when TheHive & Cortex 2 share the same URL #70
Description
Request Type
Bug
Work Environment
| Question | Answer |
|---|---|
| OS version (server) | Ubuntu |
| OS version (client) | Ubuntu |
| Cortex version / git hash | 2.0.1 |
| Package Type | DEB |
| Browser type & version | FF |
Problem Description
As reported by @3c7 and @jeromeleonard after building the training VM containing TheHive 3.0.7 and Cortex 2.0.1 and running some tests, having both applications sharing the same URL causes a session collision and all sorts of weird behaviors.
The initial debugging conducted by @To-om shows that If both applications have the same secret (play.http.secret.key) and the same user exists in both apps, a logged user on one application will automatically be authenticated on the other.
If they have different secrets or if a user exists in one app but not in the other, a request will invalidate the cookie and remove the session.
Possible Solutions
Choose different cookie names while managing the CSRF token without collisions.