mahara-contributors team mailing list archive

Thread
Date

[Bug 1567784] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1567784@xxxxxxxxxxxxxxxxxx>
Date: Thu, 21 Apr 2016 05:45:12 -0000
Reply-to: Bug 1567784 <1567784@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6374
Committed: https://git.mahara.org/mahara/mahara/commit/16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Submitter: Aaron Wells (aaronw@xxxxxxxxxxxxxxx)
Branch:    16.04_STABLE

commit 16305b41e01dbe04e81c22f79dc5ee2fb63336f9
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Fri Apr 15 20:16:06 2016 +1200

Bug 1567784: session_regenerate_id() not working

We have existing code that tries to regenerate your
session ID when you log in. But it stopped working
in PHP 15.04 because the session has usually been
closed when it gets called.

Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c
behatnotneeded: Can't be tested by behat
(cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567784

Title:
  Session ID's not being regenerated

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  Security best practice requires that the session ID be changed
  whenever a user logs in or out (or makes other similar changes to
  their access level). If this is not done, then it makes session
  highjacking attacks a lot easier.

  In PHP this is best done by calling the function
  session_regenerate_id(). And Mahara does indeed have quite old code
  that does this in htdocs/auth/user.php, whenever a user is logged in
  (but not logged out). However, this code stopped working in Mahara
  15.04. This appears to be due to the changes we made to
  htdocs/auth/session.php to prevent session locking from interfering
  with ajax scripts, which cause session_start() and
  session_write_close() to be called several times per script execution
  instead of just once.

  We need to:

  1. Make sure that session_regenerate_id() works correctly, so that the
  user's session ID really does change when they log in (preferrably in
  a way that will work for all auth methods)

  2. And expand this so that the user's session ID is also changed when
  they log out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1567784/+subscriptions