Forum OpenACS Development: Re: Security Issue? Session Identifier Not Updated

3: Re: Security Issue? Session Identifier Not Updated (response to 2)

Posted by Frank Bergmann on 08/19/16 12:22 PM

Hi Gustaf,

Thanks a lot for the reply.

I was neither aware of the refreshing_p issue nor of the fix. I did read about the signature for session_id, but didn't understand the relevance to this issue.

I'll cross-link this answer from our forums. I'll also post an advisory for ]po[ V4.0 now.

Cheers,
Frank

4: Re: Security Issue? Session Identifier Not Updated (response to 3)

Posted by Gustaf Neumann on 08/19/16 03:34 PM

The change [2] is not doing, what the poster suggests, but it avoids many threads concerning stealing and manipulating session_ids. The session_id management in OpenACS is quite tricky and differs from many other framework, since it involves the interplay with other cookies as well. So, at least some attacks on session_ids from other frameworks don't necessarily apply as well on OpenACS.

OpenACS 5.9.0 fixes many more other attack vectors related with cross site scripting. The forthcoming OpenACS 5.9.1 addresses more injection attacks (both cross site scripting and SQL injection) identified with newer scanning and provides as well framework support for CSRF attacks (cross site request forgery)