Forum OpenACS Development: Re: Session Identifier Not Updated

Posted by Klaus Hofeditz on
Hi Gustaf,
I thought of stepping in to help out.

From what I can see its probably the following patch you are referring to:

Index: openacs-4/packages/acs-tcl/tcl/security-procs.tcl
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/security-procs.tcl,v
diff -u -N -r1.74.2.10 -r1.74.2.11
--- openacs-4/packages/acs-tcl/tcl/security-procs.tcl 14 Feb 2014 19:38:26 -0000
+++ openacs-4/packages/acs-tcl/tcl/security-procs.tcl 25 Jul 2014 23:33:11 -0000
@@ -419,6 +419,12 @@
# the empty string
set prev_user_id [ad_conn user_id]

+ #
+ # Change the session id for all user_id changes, also on
+ # changes from user_id 0, since owasp recommends to renew the
+ # session_id after any privilege level change
+ #
+ #if { $prev_user_id != 0 && $prev_user_id != $new_user_id }
if { $prev_user_id != 0 && $prev_user_id != $new_user_id } {
# this is a change in identity so we should create
# a new session so session-level data is not shared

Can you please review? Seems that logic did not change.

Posted by Vijay Deshmukh on
Thanks for the reply Klaus!!
Gustaf can you please comment on this?
Posted by Gustaf Neumann on
What do you expect me to comment on this? The change is the same change that i've commited 6 days ago to the code repository of OpenACS [1] noted in the posting nr 6 in this thread [2], posted 5 minutes before the posting of Klaus.

The question is rather, AppScan should stop complaining about using the same session id after the privilege change