Force session id creation for new sessions

[GoogleCodeExporter]

Purpose of code changes on this branch:

Force session id creation for new sessions, i.e. do not use session id stored 
in cookie for new sessions.

Example for current behaviour:
1. someone tries to steal SSP session, i.e. is in possession of victims cookies
2. sends request to SSP with stolen cookies
3. session check function detects session stealing attempt and refuses to load 
victims session
4. new session is created but with the session id from cookie
5. the victims session is overwritten, i.e. victim is actually logged out from 
SSP

With this patch in step 4 is new session id generated, i.e. victims session is 
intact.

When reviewing my code changes, please focus on:

-

After the review, I'll merge this branch into:
/trunk

Original issue reported on code.google.com by comel...@gmail.com on 4 Sep 2013 at 1:26

Attachments:

• session_id.patch

[GoogleCodeExporter]

Can you please extract the code for creating a new session from 
getCookieSessionId() into a new function newSessionId()? That would make the 
code cleaner.

Original comment by olavmrk@gmail.com on 5 Sep 2013 at 7:17

[GoogleCodeExporter]

Here is the modified patch.

Original comment by comel...@gmail.com on 5 Sep 2013 at 10:48

Attachments:

• session_id-2.patch

[GoogleCodeExporter]

This patch looks good.

Original comment by olavmrk@gmail.com on 5 Sep 2013 at 11:43

[GoogleCodeExporter]

Committed as r3271.

Original comment by comel...@gmail.com on 5 Sep 2013 at 12:37

• Changed state: Fixed