Replace session highjacking code in remove_user_sessions()
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Mahara | ||||||
16.10 |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
When we need to force a user to log out in Mahara (for instance, when an admin suspends a user's account, or someone resets their password and we'd like any other logged-in sessions of theirs to be force-logged out), we use a function in htdocs/
To delete all of user's sessions, it uses the technique described here: http://
1. Look up all of the target user's session IDs in the usr_session table
2. Store the current user's session ID in a local variable
3. Highjack each of the target user's session IDs, then call session_destroy() on each one.
4. Change back to the current user's session ID.
This works most of the time, but it has a *very* bad failure mode. If the function fails to restore the current user's session ID, or if the target user manages to load a page at just the right time, the target user and current user can wind up with the same session ID. Essentially an accidental session fixation attack.
Luckily, with the patch for Bug 1363873, this becomes easier to deal with. Now, a user has to have a record in the usr_session table to be logged in. That means we no longer need to actually destroy the sessions on the PHP side. We can just delete them from the usr_session table, and then they will no longer be logged-in sessions.
no longer affects: | mahara |
Patch for "master" branch: https:/ /reviews. mahara. org/6317