Session ID's not being regenerated
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Unassigned | ||
15.10 |
Fix Released
|
High
|
Unassigned | ||
16.04 |
Fix Released
|
High
|
Unassigned | ||
16.10 |
Fix Released
|
High
|
Unassigned |
Bug Description
Security best practice requires that the session ID be changed whenever a user logs in or out (or makes other similar changes to their access level). If this is not done, then it makes session highjacking attacks a lot easier.
In PHP this is best done by calling the function session_
We need to:
1. Make sure that session_
2. And expand this so that the user's session ID is also changed when they log out.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
Patch: https:/ /reviews. mahara. org/6349