lemonldap-ng issueshttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues2020-05-04T13:57:21Zhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2167OAuth2 handler should return 401 when access token is missing or invalid2020-05-04T13:57:21ZMaxime BessonOAuth2 handler should return 401 when access token is missing or invalidsee https://tools.ietf.org/html/rfc6750#section-3
The current behavior is to redirect to the portalsee https://tools.ietf.org/html/rfc6750#section-3
The current behavior is to redirect to the portal2.0.8Maxime BessonMaxime Besson2020-04-24https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2694Chrome warns about compromised data when using form replay2022-02-13T12:51:28Zdcoutadeur dcoutadeurChrome warns about compromised data when using form replay### Concerned version
Version: %2.0.13
Platform: Apache
### Summary
There is a new feature in Chrome that verifies user/password entered in a form against a stolen database record.
See https://www.welivesecurity.com/2019/12/12/chrome...### Concerned version
Version: %2.0.13
Platform: Apache
### Summary
There is a new feature in Chrome that verifies user/password entered in a form against a stolen database record.
See https://www.welivesecurity.com/2019/12/12/chrome-warnings-password-stolen/ or https://security.googleblog.com/2019/12/better-password-protections-in-chrome.html for more information.
The form replay feature acts in 2 steps:
- step1: a javascript fills fake data in the post form (just for sending the form)
- step2: the handler sets the desired data on the fly in the post form
During step1, the data are simply "xxxx", with the same number of x than the injected value length.
This value is considered as a stolen password by Chrome, and provokes an annoying warning in the browser.
### Possible fixes
Computing random value of the same length for every field in the form.2.0.14dcoutadeur dcoutadeurdcoutadeur dcoutadeur2022-02-07https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3052Handle USR1 signal to launch configuration reload2024-03-28T07:43:21ZYaddHandle USR1 signal to launch configuration reloadSee !413See !4132.20.0YaddYaddhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3051Add messaging broker support to share instantaneously events like logout or c...2024-03-27T10:53:38ZYaddAdd messaging broker support to share instantaneously events like logout or configuration updateWe can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "stat...We can propose here a plugin system like logger interface. Proposed plugin list:
* [Redis pub/sub](https://redis.io/docs/interact/pubsub/)
* [RabbitMQ](https://www.rabbitmq.com/)
Such system can also provide a backend for a better "status" system2.20.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3044Allow logout_app and logout_app_sso in Nginx2023-12-14T16:30:19Zdcoutadeur dcoutadeurAllow logout_app and logout_app_sso in Nginx### Summary
Currently, logout_app and logout_app_sso are only working on Apache.
It would be nice to have the same feature in Nginx. Maybe we can use lua for this purpose### Summary
Currently, logout_app and logout_app_sso are only working on Apache.
It would be nice to have the same feature in Nginx. Maybe we can use lua for this purpose2.18.0dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3016'Bad token' error is returned if just a regexp is employed to define serviceT...2023-10-04T14:58:22ZChristophe Maudouxchrmdx@gmail.com'Bad token' error is returned if just a regexp is employed to define serviceToken scope### Affected version
Version: All
Platform: All
### Summary
ServiceToken scope can be defined by listing VH or by setting a regexp.
If just a regexp is used, serviceToken is not valid.
### Logs
```
2023-09-27T10:56:29+02:00 [info]...### Affected version
Version: All
Platform: All
### Summary
ServiceToken scope can be defined by listing VH or by setting a regexp.
If just a regexp is used, serviceToken is not valid.
### Logs
```
2023-09-27T10:56:29+02:00 [info] New request Lemonldap::NG::Handler::Server::Nginx GET /ws/interrogation/v1/sia
2023-09-27T10:56:29+02:00 [debug] Found token: Ncs3DVXOWIHKELrPG5hrbRPjBBsxpEIczn7yeTR8/rpvna6NXiwvsOzYUAUFM9wBJJn+9fLs8PcaSabSkVbzEGwE+bGFuDrgNtG3bw6lnu1FNo51eu9Ziwlu52afQ5E59rqhNLrHO10qfgJaxNW4cSN0RnETh9o1fUnr481yzndEPNLTkamqZKuk4tc5fjGsPyBryfF+JssJ3Kd+3P3xvw==
2023-09-27T10:56:29+02:00 [debug] Found epoch: 1695804950
2023-09-27T10:56:29+02:00 [debug] Found _session_id: 309701221aef41a79a20c63ef167c17e2f41d145702d2c9a879ddd72cf616881
2023-09-27T10:56:29+02:00 [debug] Found VHost regexp: federation?.dvsso.gendarmerie.fr
2023-09-27T10:56:29+02:00 [error] Bad service token
2023-09-27T10:56:29+02:00 [debug] [error] Bad service token
```
### Possible fixes
Fix test
```
unless ( (@vhostRegexp or @vhosts) and $_session_id ) {
```2.18.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3013Default value is not applied to ServiceTokenTTL2023-11-20T14:44:22ZChristophe Maudouxchrmdx@gmail.comDefault value is not applied to ServiceTokenTTL### Affected version
Version: %2.17.0
Platform: All
### Summary
ServiceTokenTTL can be defined for each VH by using Manager. Default value (30s) should be used if ServiceTokenTTL is set to '-1'.
But it seems that the used value is re...### Affected version
Version: %2.17.0
Platform: All
### Summary
ServiceTokenTTL can be defined for each VH by using Manager. Default value (30s) should be used if ServiceTokenTTL is set to '-1'.
But it seems that the used value is really '-1' instead of '30'.
![image](/uploads/163ed864e35800d89becc9b61c827c2f/image.png)
### Logs
```
2023-09-26T14:40:52+02:00 [info] New request Lemonldap::NG::Handler::Server::Nginx GET /rest/webservice/multifichiers
2023-09-26T14:40:52+02:00 [debug] Found token: kNW9Z7tPx5BGcedL48GqcwRkehsPxEp12mwG5mpBE+JWkCKDrx/lPQmCciSKwBwi0RMnTi1Pr4mY8Q3ud5WTMkthByb5qteYUOwfy2cZhVvX7itK8VjCNrPzXDIpMOsU75IucuR2hMU1OFA46tbSKQkCU+DJKojmH0WnIyyfrYuZASkJsnHC9IArYCtxZWyJis/7x6hBvqppWwMnBya4UA==
2023-09-26T14:40:52+02:00 [debug] Found epoch: 1695732026
2023-09-26T14:40:52+02:00 [debug] Found _session_id: 31ea82a21bad933a8a0ccf8db0b143413702043ed50ea748914e6f54b148756a
2023-09-26T14:40:52+02:00 [debug] Found VHost: fpr-test.dvsso.gendarmerie.fr
2023-09-26T14:40:52+02:00 [debug] fpr-test.dvsso.gendarmerie.fr found in VHosts list: fpr-test.dvsso.gendarmerie.fr
2023-09-26T14:40:52+02:00 [warn] Expired service token
2023-09-26T14:40:52+02:00 [debug] [warn] Expired service token
2023-09-26T14:40:52+02:00 [debug] VH: fpr-test.dvsso.gendarmerie.fr with ServiceTokenTTL: -1
2023-09-26T14:40:52+02:00 [debug] TokenTime: 1695732026 / Time: 1695732052
2023-09-26T14:40:52+02:00 [debug] No cookie found
```
### Possible fixes
SetDefault function is employed?2.18.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3009Apache2 handler not compatible with mod_remoteip2023-09-28T06:45:17ZMaxime BessonApache2 handler not compatible with mod_remoteip### Affected version
Version: 2.17.0
### Summary
* Configure Apache2 + handler
* Configure mod_remoteip to set IP address from X-Forwarded-For
* LemonLDAP still uses the proxy's address in $req, which means logs are wrong and rules b...### Affected version
Version: 2.17.0
### Summary
* Configure Apache2 + handler
* Configure mod_remoteip to set IP address from X-Forwarded-For
* LemonLDAP still uses the proxy's address in $req, which means logs are wrong and rules based on $ENV{REMOTE_ADDR} don't work
### Logs
```
[perl:debug] [pid 2057] Redirect PROXY.IP.ADDR to portal (url was /)
```
### Possible fixes
Use undocumented $r->useragent_ip instead of $r->connection->remote_ip
This will cause a change in behavior that must be mentionned in release notes2.18.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2997Installation of LLNG 2.16.2 retrieves a 2.17 dependency2023-11-29T15:47:15ZMickael BrideInstallation of LLNG 2.16.2 retrieves a 2.17 dependencyWhen installing LLNG 2.16.2 on Almalinux 8 with Yum, the "perl-Lemonldap-NG-SSSaaS-Apache-Client" 2.17.0-1.el8 is retrieved instead of 2.16.2-1.el8.When installing LLNG 2.16.2 on Almalinux 8 with Yum, the "perl-Lemonldap-NG-SSSaaS-Apache-Client" 2.17.0-1.el8 is retrieved instead of 2.16.2-1.el8.2.18.0Xavier BachelotXavier Bachelothttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2984Test fails with Perl 5.382023-08-28T16:00:34ZYaddTest fails with Perl 5.38From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build f...From https://bugs.debian.org/1043239 :
> Source: lemonldap-ng
> Version: 2.16.1+ds-2
> Severity: important
> Tags: ftbfs trixie sid
> User: debian-perl@lists.debian.org
> Usertags: perl-5.38-transition
>
> This package fails to build from source with Perl 5.38 (currently in experimental.)
>
> http://perl.debian.net/rebuild-logs/perl-5.38-throwaway/lemonldap-ng_2.16.1+ds-2/lemonldap-ng_2.16.1+ds-2_amd64-2023-08-04T06:12:12Z.build
# Failed test 'Found correct error message'
# at t/12-Lemonldap-NG-Handler-Jail.t line 114.
# 'syntax error at (eval 52) line 1, at EOF
# Execution of (eval 52) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 22.
# Failed test 'Found correct error message'
# at t/13-Lemonldap-NG-Handler-Fake-Safe.t line 107.
# 'syntax error at (eval 47) line 1, at EOF
# Execution of (eval 47) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 16.
Test Summary Report
-------------------
t/12-Lemonldap-NG-Handler-Jail.t (Wstat: 256 (exited 1) Tests: 22 Failed: 1)
Failed test: 22
Non-zero exit status: 1
t/13-Lemonldap-NG-Handler-Fake-Safe.t (Wstat: 256 (exited 1) Tests: 16 Failed: 1)
Failed test: 16
Non-zero exit status: 1
Files=25, Tests=405, 7 wallclock secs ( 0.08 usr 0.03 sys + 4.03 cusr 0.70 csys = 4.84 CPU)
Result: FAIL
> This looks like just an issue of changed diagnostics, but please don't hesitate to file a bug against perl in case it turns out to have runtime effects that warrant a Breaks entry.2.17.0https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2947Append an OAuth2ST handler wrapper2024-03-27T10:05:35ZChristophe Maudouxchrmdx@gmail.comAppend an OAuth2ST handler wrapper### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Desig...### Summary
Some WebServices can be requested by OIDC applications using AccessToken and Web applications using ServiceToken.
It leads to define two routes, 1 protected by the ST handler and 1 protected by the OAuth2 handler.
### Design proposition
The idea is to provide a handler able to serve both AT and ST like DevOpsST wrapper.2.20.0Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2913Lemonldap-NG-Handler: 2 test failures against Perl 5 blead (development version)2023-08-08T08:41:35ZJames KeenanLemonldap-NG-Handler: 2 test failures against Perl 5 blead (development version)A change in the development branch of the Perl 5 core distribution has triggered failures in the test suite of Lemonldap-NG-Handler. As this development branch is likely to be released as perl-5.38.0 in our annual production release on ...A change in the development branch of the Perl 5 core distribution has triggered failures in the test suite of Lemonldap-NG-Handler. As this development branch is likely to be released as perl-5.38.0 in our annual production release on or after May 20 2023, your attention to this problem is requested.
Sample CPAN testers report:
http://www.cpantesters.org/cpan/report/2cd8dd76-d6f9-11ed-8cf5-4eaba9ff8ba7
Overview of test failure reports:
http://fast-matrix.cpantesters.org/?dist=Lemonldap-NG-Handler
Extract of test failures:
```
Running make test for COUDOT/Lemonldap-NG-Handler-2.0.16.tar.gz
PERL_DL_NONLAZY=1 "/usr/home/jkeenan/testing/blead/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01-Lemonldap-NG-Handler-Main.t ........................... ok
[Sun Apr 9 17:08:33 2023] [LLNG:44931] [error] Bad logLevel value '', switching to 'info'
t/05-Lemonldap-NG-Handler-Reload.t ......................... ok
# Failed test 'Found correct error message'
# at t/12-Lemonldap-NG-Handler-Jail.t line 111.
# 'syntax error at (eval 52) line 1, at EOF
# Execution of (eval 52) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 22.
t/12-Lemonldap-NG-Handler-Jail.t ...........................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/22 subtests
# Failed test 'Found correct error message'
# at t/13-Lemonldap-NG-Handler-Fake-Safe.t line 104.
# 'syntax error at (eval 47) line 1, at EOF
# Execution of (eval 47) aborted due to compilation errors.
# '
# doesn't match '(?^:Missing right curly or square bracket)'
# Looks like you failed 1 test of 16.
t/13-Lemonldap-NG-Handler-Fake-Safe.t ......................
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/16 subtests
t/14-Lemonldap-NG-Handler-Rule-Building.t .................. ok
...
t/99-pod.t ................................................. ok
Test Summary Report
-------------------
t/12-Lemonldap-NG-Handler-Jail.t (Wstat: 256 (exited 1) Tests: 22 Failed: 1)
Failed test: 22
Non-zero exit status: 1
t/13-Lemonldap-NG-Handler-Fake-Safe.t (Wstat: 256 (exited 1) Tests: 16 Failed: 1)
Failed test: 16
Non-zero exit status: 1
Files=25, Tests=571, 6 wallclock secs ( 0.09 usr 0.03 sys + 4.63 cusr 1.64 csys = 6.39 CPU)
Result: FAIL
Failed 2/25 test programs. 2/571 subtests failed.
*** Error code 255
```
This problem was originally reported on Dec 31 2022 here: https://github.com/Perl/perl5/issues/20346#issuecomment-1368210714
The change in Perl 5 blead is discussed at the top of GH 20346. My own, non-authoritative reading of that ticket suggests that, for perl-5.37.4 and later versions, you will have to modify the two test files to expect a different error message to be thrown. (Nonetheless, I applaud you for testing for error messages!)
Thank you very much.2.16.2Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2903Add a function in Safelib to match IP addresses reliably2023-06-26T07:09:41ZMaxime BessonAdd a function in Safelib to match IP addresses reliably### Summary
Currently we have to do this in accessRules:
```
$ipAddr eq "127.0.0.1" or $ipAddr =~ /192\.168/
```
This is error prone and difficult, we need a better function that understands CIDR notation
```
inNetwork("192.168.0.0/2...### Summary
Currently we have to do this in accessRules:
```
$ipAddr eq "127.0.0.1" or $ipAddr =~ /192\.168/
```
This is error prone and difficult, we need a better function that understands CIDR notation
```
inNetwork("192.168.0.0/24") or inNetwork("127.0.0.1/32")
```
### Design proposition
* We need to find (or vendor) a CPAN module that works in SafeJail2.17.0Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896[Security][CVE-2023-28862] AuthBasic does not handle failure correctly2023-10-08T16:40:55ZMaxime Besson[Security][CVE-2023-28862] AuthBasic does not handle failure correctly### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corr...### Concerned version
Version: 2.0.16
### Summary
The AuthBasic handler works like this:
* It computes a sessionid from login+password
* If sessionid already exists in the session DB, authenticate user
* Else, try to create the corresponding session by sending the login+pass to the portal RESTServer plugin
However, the only required step in the login flow is `store`, if anything happens after the`store` step, AuthBasic will succeed because the fixed-id session has been successfully created, which means:
* Accounts that are supposed to be 2FA-protected are not 2FA protected when AuthBasic is used
* If a 2FA module returns an error, the *first* AuthBasic request will 401, but the *second* AuthBasic request will work correctly => *VERY CONFUSING*
* Any plugin that tries to deny session *after* the `store` step will not deny AuthBasic sessions
This is probably a security issue
### Possible fixes
If the AuthBasic login process fails (not PE_OK), we need to remove the session created by `store` and return an error
This will cause a regression: users who relied on AuthBasic working for 2FA protected account will now see failures
Possible solution: use an env variable in 2FA activation rules if desired:
```
has2f("TOTP") and not $env->{"AuthBasic"}
```
or something of that sort2.16.1Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2849Allow to define ServiceToken scope with RegExp2023-01-25T12:23:33ZChristophe Maudouxchrmdx@gmail.comAllow to define ServiceToken scope with RegExp### Summary
ServiceToken scope consists in a VHost list. It is tedious because you have to declare all the VH one by one.
### Design proposition
Extend ST scope definition by allowing regexp### Summary
ServiceToken scope consists in a VHost list. It is tedious because you have to declare all the VH one by one.
### Design proposition
Extend ST scope definition by allowing regexp2.0.16Christophe Maudouxchrmdx@gmail.comChristophe Maudouxchrmdx@gmail.comhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2837Unable to delete FIDO MFA Key2023-12-14T09:16:55ZDave ConroyUnable to delete FIDO MFA Key### Concerned version
Version: 2.15.1
Platform: Nginx (tiredofit/docker-lemonldap -- My image)
### Summary
After registering with a Fido Device (oddly enough I don't get confirmation when I do, and can only see it back at 2fa Manager...### Concerned version
Version: 2.15.1
Platform: Nginx (tiredofit/docker-lemonldap -- My image)
### Summary
After registering with a Fido Device (oddly enough I don't get confirmation when I do, and can only see it back at 2fa Manager)
I now have a Fido key registered to me. When I try to remove it, I am presented with a JS popup "This operation cannot be undone" and select Unregister.
It removes from the screen, but upon page reload, the key reappears.
### Logs
```
2022-12-14 10:08:08 | LLNG[2717]: [debug] daveconroy request to delete webauthn2f device
2022-12-14 10:08:08 | LLNG[2717]: [debug] Impersonation plugin is enabled
2022-12-14 10:08:08 | LLNG[2717]: [debug] ContextSwitching plugin is enabled
2022-12-14 10:08:08 | LLNG[2717]: [debug] daveconroy is allowed to update 2FA
2022-12-14 10:08:08 | LLNG[2717]: [debug] Deleted 2F Device: { type => WebAuthn, epoch => 1670956099 }
2022-12-14 10:08:08 | LLNG[2717]: [debug] Found 'whatToTrace' -> daveconroy
2022-12-14 10:08:08 | LLNG[2717]: [debug] Update daveconroy persistent session
2022-12-14 10:08:08 | LLNG[2717]: [debug] Update session MASKED
2022-12-14 10:08:08 | LLNG[2717]: [debug] Update sessionInfo _2fDevices
2022-12-14 10:08:08 | LLNG[2717]: [debug] Dump: $VAR1 = '[]';
```
From manager, the key can be removed.In discussionMaxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2825add documentation about protection of websocket applications2022-11-22T10:28:49Zdcoutadeur dcoutadeuradd documentation about protection of websocket applications### Summary
add documentation about protection of websocket applications### Summary
add documentation about protection of websocket applications2.0.16dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2787Status: Unknown command line during OIDC flow2022-08-26T14:13:47ZMaxime BessonStatus: Unknown command line during OIDC flow### Concerned version
Version: 2.0.14
### Summary
* Enable handler status
* Browse to an OIDC app, or any portal URL that contains a space, such as
* Non fatal, but puzzling status error line appears in Apache error logs
* Also, the ...### Concerned version
Version: 2.0.14
### Summary
* Enable handler status
* Browse to an OIDC app, or any portal URL that contains a space, such as
* Non fatal, but puzzling status error line appears in Apache error logs
* Also, the request won't be counted
### Logs
```
Status: Unknown command line -> dwho => /oauth2/authorize?client_id=test&scope=a b 24
```
### Possible fixes
This is caused by the regexp in Status.pm
```
# Activity collect
if (
/^(\S+)\s+=>\s+(\S+)\s+(OK|REJECT|REDIRECT|LOGOUT|UNPROTECT|SKIP|EXPIRED|\-?\d+)$/
)
{
```
OIDC scopes can contain spaces
I think the best fix is to normalize the URL using URI->canonical before writing it to the status socket
Warning: status write are done in several places: Handler::Main, Portal::Main, etc.2.0.15Maxime BessonMaxime Bessonhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2769missing handler logs with default Nginx + LemonLDAP2022-07-28T10:11:25Zdcoutadeur dcoutadeurmissing handler logs with default Nginx + LemonLDAP### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
With a default `lemonldap-ng.ini`, half of the handler logs are missing, unless the logger is specified explicitely:
```
userLogger = Lemonldap::NG::Common::Logger::...### Concerned version
Version: %2.0.14
Platform: Nginx
### Summary
With a default `lemonldap-ng.ini`, half of the handler logs are missing, unless the logger is specified explicitely:
```
userLogger = Lemonldap::NG::Common::Logger::Syslog
logger = Lemonldap::NG::Common::Logger::Syslog
```
### Workaround
Set the logger explicitely
### Resolution
More investigation needed2.0.15dcoutadeur dcoutadeurdcoutadeur dcoutadeurhttps://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758[CVE-2022-37186] Session destroyed on portal but still valid on handlers whil...2023-09-22T14:13:30ZMickael Bride[CVE-2022-37186] Session destroyed on portal but still valid on handlers while there is activity### Concerned version
Version: %2.0.13
Platform: Apache
### Summary
I have activated "One session per user" option.
If I log in a second time with the same account, the 1st session is well destroyed on portal, but on handler, the ses...### Concerned version
Version: %2.0.13
Platform: Apache
### Summary
I have activated "One session per user" option.
If I log in a second time with the same account, the 1st session is well destroyed on portal, but on handler, the session is still valid even after the cache expiration (600s). Session expires on handler only after 600s of inactivity (no request), while it should expire after 600s (with or without activity)
### Logs
When query is accepted by handler (just after the session was destroyed on session backend):
```
[Fri May 13 13:49:22.382959 2022] [perl:debug] [pid 21187] Apache2.pm(14): Get session 6e29421e589869bc4124bc05aa62bdb20da615f2be290a6e48 from Handler::Main::Run
[Fri May 13 13:49:22.383085 2022] [perl:debug] [pid 21187] Apache2.pm(14): Check session validity from Handler
[Fri May 13 13:49:22.383184 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeout -> 72000
[Fri May 13 13:49:22.383288 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeoutActivity -> 900s
[Fri May 13 13:49:22.383380 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session _utime -> 1652449119
[Fri May 13 13:49:22.383465 2022] [perl:debug] [pid 21187] Apache2.pm(14): now -> 1652449762
[Fri May 13 13:49:22.383551 2022] [perl:debug] [pid 21187] Apache2.pm(14): _lastSeen -> 1652449119
[Fri May 13 13:49:22.383638 2022] [perl:debug] [pid 21187] Apache2.pm(14): now - _lastSeen = 643
[Fri May 13 13:49:22.383732 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session timeoutActivityInterval -> 250
[Fri May 13 13:49:22.383822 2022] [perl:debug] [pid 21187] Apache2.pm(14): Session TTL = 71357
[Fri May 13 13:49:22.407127 2022] [perl:debug] [pid 21187] Apache2.pm(14): Update _lastSeen with 1652449762
[Fri May 13 13:49:22.407431 2022] [perl:debug] [pid 21187] Apache2.pm(14): No URL authentication level found...
[Fri May 13 13:49:22.407566 2022] [perl:debug] [pid 21187] Apache2.pm(14): api-mediation.dev.flexiblecontactcenter.orange-business.com: Apply default rule
```
After 600 seconds of inactivity:
```
[Fri May 13 14:16:08.247736 2022] [perl:info] [pid 21397] Session 6e29421e589869bc4124bc05aa62bdb20da615f2be290a6e48 can't be retrieved
[Fri May 13 14:16:08.247859 2022] [perl:info] [pid 21397] Session cannot be tied: Object does not exist in the data store at /usr/share/perl5/vendor_perl/Apache/Session/Store/DBI.pm line 93.\n
```
### Backends used
I have the following settings:
- Session timeout: 72000
- Sessions activity timeout: 900
- Sessions update interval: 250
- Sessions Storage / cache module options / default_expires_in: 600
### Possible fixes2.0.15YaddYadd