Session ID's not being regenerated

Bug #1567784 reported by Aaron Wells on 2016-04-08
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Unassigned
15.04
High
Unassigned
15.10
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned

Bug Description

Security best practice requires that the session ID be changed whenever a user logs in or out (or makes other similar changes to their access level). If this is not done, then it makes session highjacking attacks a lot easier.

In PHP this is best done by calling the function session_regenerate_id(). And Mahara does indeed have quite old code that does this in htdocs/auth/user.php, whenever a user is logged in (but not logged out). However, this code stopped working in Mahara 15.04. This appears to be due to the changes we made to htdocs/auth/session.php to prevent session locking from interfering with ajax scripts, which cause session_start() and session_write_close() to be called several times per script execution instead of just once.

We need to:

1. Make sure that session_regenerate_id() works correctly, so that the user's session ID really does change when they log in (preferrably in a way that will work for all auth methods)

2. And expand this so that the user's session ID is also changed when they log out.

CVE References

Aaron Wells (u-aaronw) on 2016-04-21
information type: Private Security → Public Security

Reviewed: https://reviews.mahara.org/6374
Committed: https://git.mahara.org/mahara/mahara/commit/16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Submitter: Aaron Wells (<email address hidden>)
Branch: 16.04_STABLE

commit 16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6375
Committed: https://git.mahara.org/mahara/mahara/commit/fef939a0435353067d07c16154d347cfd7c039d1
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit fef939a0435353067d07c16154d347cfd7c039d1
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/6376
Committed: https://git.mahara.org/mahara/mahara/commit/4692ab43960fbd3819bbf007877ebccb1cc98fd0
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 4692ab43960fbd3819bbf007877ebccb1cc98fd0
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Robert Lyon (robertl-9) on 2016-10-21
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers