Mahara

Session ID's not being regenerated

Bug #1567784 reported by Aaron Wells on 2016-04-08

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Unassigned	Mahara 16.04.0
15.04	Fix Released	High	Unassigned	Mahara 15.04.7
15.10	Fix Released	High	Unassigned	Mahara 15.10.3
16.04	Fix Released	High	Unassigned	Mahara 16.04.0
16.10	Fix Released	High	Unassigned	Mahara 16.10.0

Bug Description

Security best practice requires that the session ID be changed whenever a user logs in or out (or makes other similar changes to their access level). If this is not done, then it makes session highjacking attacks a lot easier.

In PHP this is best done by calling the function session_regenerate_id(). And Mahara does indeed have quite old code that does this in htdocs/auth/user.php, whenever a user is logged in (but not logged out). However, this code stopped working in Mahara 15.04. This appears to be due to the changes we made to htdocs/auth/session.php to prevent session locking from interfering with ajax scripts, which cause session_start() and session_write_close() to be called several times per script execution instead of just once.

We need to:

1. Make sure that session_regenerate_id() works correctly, so that the user's session ID really does change when they log in (preferrably in a way that will work for all auth methods)

2. And expand this so that the user's session ID is also changed when they log out.

CVE References

2017-1000150

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2016-04-15:

Patch: https://reviews.mahara.org/6349

Aaron Wells (u-aaronw) on 2016-04-21

information type:

Private Security → Public Security

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-04-21: A change has been merged

Reviewed: https://reviews.mahara.org/6374
Committed: https://git.mahara.org/mahara/mahara/commit/16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Submitter: Aaron Wells (<email address hidden>)
Branch: 16.04_STABLE

commit 16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-04-21:

Reviewed: https://reviews.mahara.org/6375
Committed: https://git.mahara.org/mahara/mahara/commit/fef939a0435353067d07c16154d347cfd7c039d1
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.10_STABLE

commit fef939a0435353067d07c16154d347cfd7c039d1
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-04-21:

Reviewed: https://reviews.mahara.org/6376
Committed: https://git.mahara.org/mahara/mahara/commit/4692ab43960fbd3819bbf007877ebccb1cc98fd0
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 4692ab43960fbd3819bbf007877ebccb1cc98fd0
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

Robert Lyon (robertl-9) on 2016-10-21

Changed in mahara:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.