|Subject:||Support for generating new session id|
|Date:||Wed, 9 Jan 2008 14:24:06 +0100|
|From:||Robert Bauck Hamar <firstname.lastname@example.org>|
The book /Innocent Code/ (<URL:>) stresses the importance of generating new session ID's after authentication. This is due to a security hazard: If a person accessses a page using authentication and sessions (say , a session id will be generated for him. If he now tricks a victim to access the page url with this session id in the query (ex: , he might now have given the victim a valid session id, and if the victim logs in, the attacker will hold an authenticated session id. The fix is simple: When a user's credentials is verified, a new session should be generated as a copy of the old before it is marked as authenticated. I request: * a renew method in CAP::Session that will create a new session as a copy of the existing, replace the session object, and generate a new cookie header. * a config option for CAP::Store::Session to use this method whenever a user logs in. This could be implemented so that whenever save is called with a given key, a new session should be generated. or something similar. -- Robert Bauck Hamar USIT/SAPP/GT - Cerebrum
Message body not shown because it is not plain text.