Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the CGI-Application-Plugin-Authentication CPAN distribution.

Report information
The Basics
Id:
32193
Status:
new
Priority:
Low/Low

People
Owner:
SILASMONK [...] cpan.org
Requestors:
r.b.hamar [...] usit.uio.no
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: Support for generating new session id
Date: Wed, 9 Jan 2008 14:24:06 +0100
To: bug-CGI-Application-Plugin-Authentication@rt.cpan.org, bug-CGI-Application-Plugin-Session@rt.cpan.org
From: Robert Bauck Hamar <r.b.hamar@usit.uio.no>
The book /Innocent Code/ (<URL:http://innocentcode.thathost.com/>) stresses the importance of generating new session ID's after authentication. This is due to a security hazard: If a person accessses a page using authentication and sessions (say http://example.com/example.cgi), a session id will be generated for him. If he now tricks a victim to access the page url with this session id in the query (ex: http://example.com/example.cgi?CGISESSID=secretid), he might now have given the victim a valid session id, and if the victim logs in, the attacker will hold an authenticated session id. The fix is simple: When a user's credentials is verified, a new session should be generated as a copy of the old before it is marked as authenticated. I request: * a renew method in CAP::Session that will create a new session as a copy of the existing, replace the session object, and generate a new cookie header. * a config option for CAP::Store::Session to use this method whenever a user logs in. This could be implemented so that whenever save is called with a given key, a new session should be generated. or something similar. -- Robert Bauck Hamar USIT/SAPP/GT - Cerebrum http://www.uio.no/sok?person=hamar

Message body not shown because it is not plain text.



This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.