Need to kill web service authentication session at end of process
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Unassigned | ||
20.04 |
Fix Released
|
High
|
Unassigned | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned |
Bug Description
Currently when a token based websesrvice is called it authenticates the owner of the token on the Mahara end so that any functions called by the service can only be executed if the authenticated token owner can run those functions.
One of the problems with the current setup is we don't then kill the session of this token owner when the webservice call is completed.
This means if one hits a site with a crafted URL containing a valid token but no webservice function they will get an error message page, but if they then go to the home page of the site they will find they are logged in as the token owner.
In the webservice_
And in that method is nothing to actually handle the logging out of that session
CVE References
Changed in mahara: | |
status: | Confirmed → In Progress |
no longer affects: | mahara/21.10 |
information type: | Private Security → Public Security |
https:/ /reviews. mahara. org/#/c/ 11814/