OpenMRS Open Sessions

sjmckee · March 22, 2017, 5:24pm

Our team is in the midst of upgrading from OpenMRS 1.7.x to 1.12.x, and we noticed a strange behavior.

```
 Start OpenMRS
```
```
 Login as admin
```
```
 Go to the Administration page
```
```
 Stop application server (Tomcat)
```
```
 Start OpenMRS
```

 Go directly to the Administration page

 No login is required to view the Administration page

We were always required to log in again after a Tomcat restart in OpenMRS 1.7.x. Is this considered a security vulnerability since the session is not destroyed?

We’re also concerned this may lead to other session-related issues.

Thanks, Steve McKee

wyclif · March 22, 2017, 5:58pm

I think I have seen this happen before but was unable to reproduce it. Would be nice if one could look into how to consistently reproduce it

sjmckee · March 22, 2017, 6:17pm

It occurs for me every time I perform the steps provided.

sjmckee · March 22, 2017, 6:21pm

I have been loading the admin page URL as soon as I click the “Start” button on Tomcat. This might be the key.

sjmckee · March 22, 2017, 7:21pm

Turns out it’s a feature of Tomcat 7. It’s set to enable session persistence by default, and here’s a link to disable it: https://tomcat.apache.org/tomcat-7.0-doc/config/manager.html#Disable_Session_Persistence

OpenMRS must have made use of this feature somewhere between 1.7 and 1.12

Thanks!

dkayiwa · March 22, 2017, 7:49pm

Thanks @sjmckee for sharing your findings. Would you consider this to be a bug in OpenMRS?

dkayiwa · March 22, 2017, 8:05pm

FWIW, it happened with this ticket: https://issues.openmrs.org/browse/TRUNK-3327 Hence started from 1.8.4 and above when UserContext implemented the Serializable interface. That is because when the server is configured to persist sessions on restarts, it will persist only those objects that implement the Serializable. Therefore this explains why the same tomcat configurations could not lead to what you reported until when you upgraded.

lluismf · March 22, 2017, 8:41pm

Implementing Serializable is good in general. Some application servers require that any object stored in session (and its references) implements Serializable.

sjmckee · March 23, 2017, 11:57am

No, I would not consider this an OpenMRS bug. Thanks for the information on the serialization referenced in TRUNK-3327.