smholsen
commented
8 years ago Started working on this.
Open smholsen opened 8 years ago
smholsen
commented
8 years ago Started working on this.
smholsen
commented
8 years ago Next commit will (hopefully) fix all issues described in this isse topic, except session hijacking. (Which needs SSL implementation described in #4).
smholsen
commented
8 years ago 45cb8e33918f8cc7a02c77a22434c65a68072366 addresses session donation, but had bugs. These were fixed in 32949e8 .
What? Rework the way sessions are handled. Assign new session-ID's after authentication (log-ins)
Why? Currently sessions are handled by storing username, password and isAdmin in a browser cookie. This is not secure.
This will mitigate the possibilities of an attacker modifying the cookie to escalate their privileges. (Escalating Account Privileges (OTG-AUTHZ-003) )
This will also mitigate the possibilities of privacy issues where sniffed cookies would contain personal information.
Attackers will no longer be able to bypass authentications by manually editing the contents of their browser stored cookie. (Bypassing Authentication (OTG-AUTHZ-002))
Assigning new session-id's after authentication will mitigate possibilities of an attacker tricking a user to enter their credentials on his session-id. (Session Fixation (OWASP A2) )
How? Instead of storing a cookie with user-specific information, store a cookie with a session-ID. Tie this session-ID to the user serverside.
Session Hijacking is mitigated via SSL/HTTPS.