mahara-contributors team mailing list archive

[Robert Lyon <robertl@xxxxxxxxxxxxxxx>]

** Changed in: mahara/15.10
       Status: In Progress => Fix Committed

** Changed in: mahara/15.04
       Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567784

Title:
  Session ID's not being regenerated

Status in Mahara:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed
Status in Mahara 15.10 series:
  Fix Committed
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed

Bug description:
  Security best practice requires that the session ID be changed
  whenever a user logs in or out (or makes other similar changes to
  their access level). If this is not done, then it makes session
  highjacking attacks a lot easier.

  In PHP this is best done by calling the function
  session_regenerate_id(). And Mahara does indeed have quite old code
  that does this in htdocs/auth/user.php, whenever a user is logged in
  (but not logged out). However, this code stopped working in Mahara
  15.04. This appears to be due to the changes we made to
  htdocs/auth/session.php to prevent session locking from interfering
  with ajax scripts, which cause session_start() and
  session_write_close() to be called several times per script execution
  instead of just once.

  We need to:

  1. Make sure that session_regenerate_id() works correctly, so that the
  user's session ID really does change when they log in (preferrably in
  a way that will work for all auth methods)

  2. And expand this so that the user's session ID is also changed when
  they log out.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1567784/+subscriptions