Announcement

Collapse
No announcement yet.

HS3 Web Server Session Management Bugs/Problems - Anyone else?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • HS3 Web Server Session Management Bugs/Problems - Anyone else?

    I've always thought the HS3 web server had very poor session management, but I've ignored it to this point. Today I ran across something really odd (and insecure).

    First, some background. I use multiple user accounts in HS3 to limit access to administrative/geeky/management devices and such. I also have auto-refresh enabled.

    If I open 2 web instances a two users on two different computers, eventually after a refresh the second computer will change to the user of the first, and both computer will show the same user session (if one user requires a login, the second computer will display a login prompt and hang there). This seems like HS3 isn't managing the sessions separately within the web server.

    If I open 2 tabs to HS3 device view as the same user, and change the view of the second to filter a different room, eventually after the refresh both tabs will show the same room view without any action on my part. Again, seems HS3 isn't managing 2 separate web sessions from the same computer as separate sessions.

    Today I had something really odd happen. I started on one computer in the Manage Plug-Ins page, left that session up and moved to a second computer and opened the same page. I had installed the mcsMQTT plugin and opened the "MQTT Doc" link, which downloaded the pdf file locally on the first computer. Once I moved to the second computer I realized I needed the document there, so I opened the "MQTT Doc" link from the second computer and nothing happened. Being human, I did this 4 or 5 more times. Nothing. Finally in frustration I moved to the first computer to copy the downloaded file, and found that the first computer had actually downloaded the document 6 times. The time stamps on the documents clearly showed that these downloads were initiated by the second computer.

    That seems like bizarre and insecure session management.

    Homeseer, any comments on this behavior?

  • #2
    This is a good question. Have you received any responses - potentially direct without being posted on the board?
    HomeSeer 2, HomeSeer 3, Allonis myServer, Amazon Alexa Dots, ELK M1G, ISY 994i, HomeKit, BlueIris, and 6 "4k" Cameras using NVR, and integration between all of these systems. Home Automation since 1980.

    Comment


    • #3
      Originally posted by mterry63 View Post
      I've always thought the HS3 web server had very poor session management, but I've ignored it to this point. Today I ran across something really odd (and insecure).

      First, some background. I use multiple user accounts in HS3 to limit access to administrative/geeky/management devices and such. I also have auto-refresh enabled.

      If I open 2 web instances a two users on two different computers, eventually after a refresh the second computer will change to the user of the first, and both computer will show the same user session (if one user requires a login, the second computer will display a login prompt and hang there). This seems like HS3 isn't managing the sessions separately within the web server.

      If I open 2 tabs to HS3 device view as the same user, and change the view of the second to filter a different room, eventually after the refresh both tabs will show the same room view without any action on my part. Again, seems HS3 isn't managing 2 separate web sessions from the same computer as separate sessions.

      Today I had something really odd happen. I started on one computer in the Manage Plug-Ins page, left that session up and moved to a second computer and opened the same page. I had installed the mcsMQTT plugin and opened the "MQTT Doc" link, which downloaded the pdf file locally on the first computer. Once I moved to the second computer I realized I needed the document there, so I opened the "MQTT Doc" link from the second computer and nothing happened. Being human, I did this 4 or 5 more times. Nothing. Finally in frustration I moved to the first computer to copy the downloaded file, and found that the first computer had actually downloaded the document 6 times. The time stamps on the documents clearly showed that these downloads were initiated by the second computer.

      That seems like bizarre and insecure session management.

      Homeseer, any comments on this behavior?
      under settings/network check and see if you have No Password Required for Local/Same Network Login (Web Browser/HSTouch) checked or not

      Comment


      • #4
        Nope. Not much interest in the topic.
        Originally posted by Krumpy View Post
        This is a good question. Have you received any responses - potentially direct without being posted on the board?
        Sent from my Pixel 2 using Tapatalk

        Comment


        • #5
          I have no password required for local/same subnet checked, but I'm not sure of the relevance to the issue. I do have multiple users defined, and it's easy to force a login
          Originally posted by wadesready View Post

          under settings/network check and see if you have No Password Required for Local/Same Network Login (Web Browser/HSTouch) checked or not
          Sent from my Pixel 2 using Tapatalk

          Comment

          Working...
          X