Secbone
commented
5 years ago @mahovich sorry, I haven't got the secure problem. The session identifier is just used for comparison, is that have any problems?
Closed mahovich closed 5 years ago
Secbone
commented
5 years ago @mahovich sorry, I haven't got the secure problem. The session identifier is just used for comparison, is that have any problems?
mahovich
commented
5 years ago Only for comparison?? For example, in your example using Redis, a new session identifier specified by the user is written directly to the database!
Secbone
commented
5 years ago @mahovich I got it! That is a problem! thank you so much! 👍 but there is a testing case was failed, I will check it.
If the session identifier requested by the user was not found in the session repository, a session will be created with the identifier requested by the user. For example, when requesting a non-existent session:
a session will be created with the requested name
auth_admin.This is not secure, given that you can specify control characters in the name of the session identifier.
The correct behavior in the absence of the requested session identifier will be the assignment of a new identifier.