Our team is in the midst of upgrading from OpenMRS 1.7.x to 1.12.x, and we noticed a strange behavior.
Login as admin
Go to the Administration page
Stop application server (Tomcat)
Go directly to the Administration page
No login is required to view the Administration page
We were always required to log in again after a Tomcat restart in OpenMRS 1.7.x. Is this considered a security vulnerability since the session is not destroyed?
We’re also concerned this may lead to other session-related issues.
I think I have seen this happen before but was unable to reproduce it. Would be nice if one could look into how to consistently reproduce it
It occurs for me every time I perform the steps provided.
I have been loading the admin page URL as soon as I click the “Start” button on Tomcat. This might be the key.
Turns out it’s a feature of Tomcat 7. It’s set to enable session persistence by default, and here’s a link to disable it: https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html#Disable_Session_Persistence
OpenMRS must have made use of this feature somewhere between 1.7 and 1.12
Thanks @sjmckee for sharing your findings. Would you consider this to be a bug in OpenMRS?
FWIW, it happened with this ticket: https://issues.openmrs.org/browse/TRUNK-3327
Hence started from 1.8.4 and above when UserContext implemented the Serializable interface.
That is because when the server is configured to persist sessions on restarts, it will persist only those objects that implement the Serializable. Therefore this explains why the same tomcat configurations could not lead to what you reported until when you upgraded.
Implementing Serializable is good in general. Some application servers require that any object stored in session (and its references) implements Serializable.
No, I would not consider this an OpenMRS bug. Thanks for the information on the serialization referenced in TRUNK-3327.