parsivori / simplesamlphp

Automatically exported from code.google.com/p/simplesamlphp
Other
0 stars 0 forks source link

Force session id creation for new sessions #569

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Purpose of code changes on this branch:

Force session id creation for new sessions, i.e. do not use session id stored 
in cookie for new sessions.

Example for current behaviour:
1. someone tries to steal SSP session, i.e. is in possession of victims cookies
2. sends request to SSP with stolen cookies
3. session check function detects session stealing attempt and refuses to load 
victims session
4. new session is created but with the session id from cookie
5. the victims session is overwritten, i.e. victim is actually logged out from 
SSP

With this patch in step 4 is new session id generated, i.e. victims session is 
intact.

When reviewing my code changes, please focus on:

-

After the review, I'll merge this branch into:
/trunk

Original issue reported on code.google.com by comel...@gmail.com on 4 Sep 2013 at 1:26

Attachments:

GoogleCodeExporter commented 8 years ago
Can you please extract the code for creating a new session from 
getCookieSessionId() into a new function newSessionId()? That would make the 
code cleaner.

Original comment by olavmrk@gmail.com on 5 Sep 2013 at 7:17

GoogleCodeExporter commented 8 years ago
Here is the modified patch.

Original comment by comel...@gmail.com on 5 Sep 2013 at 10:48

Attachments:

GoogleCodeExporter commented 8 years ago
This patch looks good.

Original comment by olavmrk@gmail.com on 5 Sep 2013 at 11:43

GoogleCodeExporter commented 8 years ago
Committed as r3271.

Original comment by comel...@gmail.com on 5 Sep 2013 at 12:37