https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Renew_the_Session_ID_After_Any_Privilege_Level_ChangeRenew the Session ID After Any Privilege Level Change
The session ID must be renewed or regenerated by the web application after any privilege level change within the associated user session. The most common scenario where the session ID regeneration is mandatory is during the authentication process, as the privilege level of the user changes from the unauthenticated (or anonymous) state to the authenticated state. Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application. For all these web application critical pages, previous session IDs have to be ignored, a new session ID must be assigned to every new request received for the critical resource, and the old or previous session ID must be destroyed.
The most common web development frameworks provide session functions and methods to renew the session ID, such as “request.getSession(true) & HttpSession.invalidate()” (J2EE), “Session.Abandon() & Response.Cookies.Add(new…)“ (ASP .NET), or “session_start() & session_regenerate_id(true)” (PHP).
The session ID regeneration is mandatory to prevent session fixation attacks [3], where an attacker sets the session ID on the victims user web browser instead of gathering the victims session ID, as in most of the other session-based attacks, and independently of using HTTP or HTTPS. This protection mitigates the impact of other web-based vulnerabilities that can also be used to launch session fixation attacks, such as HTTP response splitting or XSS [4].
A complementary recommendation is to use a different session ID or token name (or set of session IDs) pre and post authentication, so that the web application can keep track of anonymous users and authenticated users without the risk of exposing or binding the user session between both states.
--
-- mail from:GoogleGroups "web2py-developers" mailing list
make speech: web2py-d...@googlegroups.com
unsubscribe: web2py-develop...@googlegroups.com
details : http://groups.google.com/group/web2py-developers
the project: http://code.google.com/p/web2py/
official : http://www.web2py.com/
---
You received this message because you are subscribed to the Google Groups "web2py-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to web2py-develop...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
I would like to better understand how an attack would work and if it is possible, in the current web2py scenario. The only possibility is session stealing but changing the session id does not mitigate that in my opinion.
Both scenarios assume cookie stealing, not session fixation (which is what Andre was concerned about). If the attacker has the ability to steal a cookie (because has access to the communication or the client browser) what difference does it make that the session id was changed?
Anyway, if the user logs off, than the session becomes invalid (even if stolen).
Anyway, I do not oppose to changing this behavior. First of all I would add a function session.reissue(). Second we can conditionally add it to admin login/logout and auth login/logout.We need to consider the implications of this on existing applications (think of the case of somebody building a shopping cart and then logging in to pay, perhaps session.reissue() should change the id number but preserve the data) and on load balancers using sticky sessions.
530 + if response.session_storage_type == 'cookie' or \
531 + not response.session_id:
532 + raise Exception('No session ID to renew')
It cannot raise an exception here. ..
I only forgot to test cookie_key. ..
All the rest is working fine
I'll fix this and upload again tomorrow
Sorry for that
The only thing that will change in old applications (once you upgrade your framework files) is:
- session id will be changed after login and logout
- session vars will be cleared after logout
And there will exist a possibility to change this in the parameters.
I don't see any backward compatibility issues this way, an this is fixing the 2 situations mentioned above, making sessions secure by default, wirhout need extra configuration.
You received this message because you are subscribed to a topic in the Google Groups "web2py-developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py-developers/fvXIthL_0KY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py-develop...@googlegroups.com.
You're right about client _check variable. .. I'd added to my first code and removed later, i forget to remove it from func def. :D
Plz just remove it.
# move cookies to headers
+ cookies_val = []
for key, value in cookies.iteritems():
- req.add_header('Cookie', '%s=%s' % (key, value))
+ cookies_val.append('%s=%s' % (key, value))
+ cookies_val = ','.join(cookies_val)
+ req.add_header('Cookie', cookies_val)
- Request.add_header(key, val)
Add another header to the request. (...) Note that there cannot be more than one header with the same name, and later calls will overwrite previous calls in case the key collides.
http://docs.python.org/2/library/urllib2.html#urllib2.Request.add_header
- self.cookies = {}
+ #self.cookies = {}
if 'set-cookie' in self.headers:
for item in self.headers['set-cookie'].split(','):
key, value = item[:item.find(';')].split('=')
- self.cookies[key.strip()] = value.strip()
+ self.cookies[key.strip()] = value.strip()
# copy headers from dict to list of key,value
headers_list = []
for key, value in self.default_headers.iteritems():
if not key in headers:
headers[key] = value
# add headers to request
for key, value in headers_list:
opener.addheaders.append((key, str(value)))
You received this message because you are subscribed to a topic in the Google Groups "web2py-developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/web2py-developers/fvXIthL_0KY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to web2py-develop...@googlegroups.com.