Skip Menu |

This queue is for tickets about the CGI-Application-Plugin-Session CPAN distribution.

Report information
The Basics
Id: 32194
Status: resolved
Priority: 0/
Queue: CGI-Application-Plugin-Session

People
Owner: Nobody in particular
Requestors: r.b.hamar [...] usit.uio.no
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Support for generating new session id
Date: Wed, 9 Jan 2008 14:24:06 +0100
To: bug-CGI-Application-Plugin-Authentication [...] rt.cpan.org, bug-CGI-Application-Plugin-Session [...] rt.cpan.org
From: Robert Bauck Hamar <r.b.hamar [...] usit.uio.no>
The book /Innocent Code/ (<URL:http://innocentcode.thathost.com/>) stresses the importance of generating new session ID's after authentication. This is due to a security hazard: If a person accessses a page using authentication and sessions (say http://example.com/example.cgi), a session id will be generated for him. If he now tricks a victim to access the page url with this session id in the query (ex: http://example.com/example.cgi?CGISESSID=secretid), he might now have given the victim a valid session id, and if the victim logs in, the attacker will hold an authenticated session id. The fix is simple: When a user's credentials is verified, a new session should be generated as a copy of the old before it is marked as authenticated. I request: * a renew method in CAP::Session that will create a new session as a copy of the existing, replace the session object, and generate a new cookie header. * a config option for CAP::Store::Session to use this method whenever a user logs in. This could be implemented so that whenever save is called with a given key, a new session should be generated. or something similar. -- Robert Bauck Hamar USIT/SAPP/GT - Cerebrum http://www.uio.no/sok?person=hamar
Download (untitled)
application/pgp-signature 189b

Message body not shown because it is not plain text.

I have added a 'session_recreate' method that will create a new session with all the same parameters of the original. This will appear in version 1.03 which was just uploaded. Cheers, Cees