Old cookies lingering allowing one to login without giving login details

https://reviews.mahara.org/#/c/7870/

CVE-2017-14163

Got an email about this issue.

The scenario that is described here is a perfectly valid use of session. We can never know that user terminated the browser, so the only thing we can do is to look for old sessions and purge old one after some lengthy inactivity. There is already a session timeout mechanism in place. Reusing own cookie in different browser is definitely not a security issue.

"This should reduce the chance of someone capturing the cookie value on the network and using it" is not right... Once you get access to someone's cookies it is pretty much game over.

We have a session timeout code and we are setting proper security flags on our cookie - that is far far more important!

Email change with password? This doesn't make it more secure. Sending confirmation to previous and already verified email is the best way to confirm it is you. However, I do realise that email is not a required field in Mahara. Also, how would this password confirmation work with SSO?

Re: the user agent, I am not sure if that is a good idea either. According https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Binding_the_Session_ID_to_Other_User_Properties it is a good thing to capture, but does nothing against skilled hackers. If we need to add a user agent, it can be added to $_SESSION itself, no need to modify database structure.

Optional IP locking might be a good thing to add. It is rarely used this days, but can be useful when necessary.

Thank you for your concerns, Yuliya. We'll discuss this a bit more and post a suggestion for review here to see what can be done.

Having discussed this some more we will proceed with points 1) and 2) from initial description
but for point 3) we will do this instead:

3) On adding a new email via the Content -> Profile section we will send 2 emails
- one to the new email address asking user to confirm address
- and one to the primary email address to alert user that a new email is being added to their account and if this is bad how to contact their admin about the problem.

Reported by Mushraf Mustafa

Reviewed: https://reviews.mahara.org/7998
Committed: https://git.mahara.org/mahara/mahara/commit/1b7859ab1361cf1ed095ec030d8643e3043bb289
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 1b7859ab1361cf1ed095ec030d8643e3043bb289
Author: Robert Lyon <email address hidden>
Date: Fri Sep 8 09:44:26 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Reviewed: https://reviews.mahara.org/8000
Committed: https://git.mahara.org/mahara/mahara/commit/424ded281718e23acfb08c4c0cc7772b2bbd9585
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 424ded281718e23acfb08c4c0cc7772b2bbd9585
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Reviewed: https://reviews.mahara.org/8002
Committed: https://git.mahara.org/mahara/mahara/commit/69bcdb52be49481c03b26410553169bfc0acbcb5
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 69bcdb52be49481c03b26410553169bfc0acbcb5
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

Reviewed: https://reviews.mahara.org/8005
Committed: https://git.mahara.org/mahara/mahara/commit/1b7ae5f30245e32335f111bc0290597822e9273b
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit 1b7ae5f30245e32335f111bc0290597822e9273b
Author: Cecilia Vela Gurovic <email address hidden>
Date: Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
 - one to the new email address asking user to confirm address
 - and one to the primary email address to alert user
 that a new email is being added to their account and
 if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8