Forum OpenACS Development: Re: Session Identifier Not Updated

Posted by Gustaf Neumann on
> May be you are right that the oacs version I'm having in the project open application is not the latest one.

i haven't mentioned anything is this direction. The change [1] is in acs-tcl/tcl/security-procs.tcl and adresses the regeneration of session-ids when the privilege level changes during login (recommended be You find material concerning "externally created session identifiers" on Wikipedia [2]. There are more possible attacks against session-ids, that are not handled in OpenACS, but these address only sessions of not-logged-in users. As soon a user is logged in, the login cookie secures the session-ids strongly. Security checkers looking only at the session-id will generate false positives.