Forum OpenACS Development: Re: Session Identifier Not Updated

Collapse
5: Re: Session Identifier Not Updated (response to 4)
Posted by Vijay Deshmukh on 07/28/14 08:51 AM
Gustaf,
Thank you for the reply.

May be you are right that the oacs version I'm having in the project open application is not the latest one. But I can't upgrade it as I'm not sure whether it will be compatible with the application.
Having said that, Can you share the file name and part of the code here, which is responsible for changing the sessoin_id when a user logs in?
And one more thing, In the issue it is stated that "don't accept the external session_id", what does this mean?
Please shade some light on this if possible?

Regards,
Vijay

Collapse
6: Re: Session Identifier Not Updated (response to 5)
Posted by Gustaf Neumann on 07/28/14 10:00 AM
May be you are right that the oacs version I'm having in the project open application is not the latest one.

i haven't mentioned anything is this direction. The change [1] is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be owasp.org). You find material concerning "externally created session identifiers" on Wikipedia [2]. There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.

-gn

[1] http://cvs.openacs.org/changelog/OpenACS?cs=oacs-5-8%3Agustafn%3A20140725233311
[2] http://en.wikipedia.org/wiki/Session_fixation