Support Session Fixation

[s-aska]

Catalyst::Plugin::Session change_session_id method support.

you should call $req->env->{'psgix.session.options'}->{'change_id'}++ in your login controller like this:

login controller.

if ($self->authenticate( { username => $user, password => $pass } )) {

login OK

$req->env->{'psgix.session.options'}->{'change_id'}++;
...

} else {

login FAILED

...

}

SEE ALSO Catalyst::Plugin::Session

[miyagawa]

Thanks, I understand the purpose of your patch, but i have a question.

Session Fixation is only possible when session ID is extracted from query parameters using XSS or CSRF type of attacks. So this only applies to (or at least, makes sense in) the default Plack::Session::State which uses query parameter - is that right?

(I honestly want to remove this query-parameter based session state management from the distribution for that reason, as well as the necessity to use Plack::Request just for this. At least I'd like to make it NOT the default thing to do.)

Also, Plack::Middleware::Session get_session() doesn't auto-populate the session when the given session ID when it doesn't exist in the store. So I wonder how the attack is possible - maybe the attacker accesses the site and gets the empty session ID and then use XSS/CSRF to redirect the victim? That might make sense.

[s-aska]

There is a danger that the Session ID that the attacker setup may be promoted.

• ja: 攻撃者の仕掛けたセッションIDが昇格してしまう恐れがあります。

[nihen]

Session Fixation is only possible when session ID is extracted from query parameters using XSS or CSRF type of attacks

no, There is cookie monster bug too. ref: http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt

[miyagawa]

Merged.