Bug with Email Security SSP and Central Admin Console sessions

Feature and severity: Logging into Central admin console after logging into Sophos Central Email Security self service portal // Minimal

Summary: Self service portal session cookie prevents access to central admin console

Observed behavior: If I have an active session with the email security self service portal (cloud.sophos.com/.../self-service), I then try to access the central admin console (central.sophos.com/manage) won't load and presents a white screen. But if I have an active session in central admin console before trying to access the email security self service portal I have no issues

Desired: I should be able to view the admin console without logging out of the email security self service portal, or at the least prompt me for MFA which the self service portal does not require.

Reproduce it: In a clean browser session, open and log into the email security self service portal (cloud.sophos.com/.../self-service). Then, in a new tab, open and try to log into the central admin console (central.sophos.com/manage).

Workarounds: Have an active session in central admin console before logging into the self service portal. Log out of the self service portal before. Remove the cookie named SESSION planted by domain .sophos.com before logging into central admin console. Use different browser sessions.

Causal theory: When logging into the admin console admins are prompted for MFA. When logging into the email security SSP you don't get prompted for MFA. When you log into the SSP, you are assigned a non MFA session token and the authentication for the admin console doesn't handle this session token in a way to prompt for MFA to upgrade the session to a MFA session



Edited TAGs
[edited by: Gladys at 3:42 AM (GMT -8) on 19 Dec 2022]