← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #37718

[Bug 1567799] Re: Replace session highjacking code in remove_user_sessions()

  Thread PreviousDate PreviousThread Next 
** No longer affects: mahara

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567799

Title:
  Replace session highjacking code in remove_user_sessions()

Status in Mahara 16.10 series:
  Won't Fix

Bug description:
  When we need to force a user to log out in Mahara (for instance, when
  an admin suspends a user's account, or someone resets their password
  and we'd like any other logged-in sessions of theirs to be force-
  logged out), we use a function in htdocs/auth/session.php called
  "remove_user_sessions($userid)".

  To delete all of user's sessions, it uses the technique described
  here: http://php.net/manual/en/function.session-destroy.php#114709

  1. Look up all of the target user's session IDs in the usr_session table
  2. Store the current user's session ID in a local variable
  3. Highjack each of the target user's session IDs, then call session_destroy() on each one.
  4. Change back to the current user's session ID.

  This works most of the time, but it has a *very* bad failure mode. If
  the function fails to restore the current user's session ID, or if the
  target user manages to load a page at just the right time, the target
  user and current user can wind up with the same session ID.
  Essentially an accidental session fixation attack.

  Luckily, with the patch for Bug 1363873, this becomes easier to deal
  with. Now, a user has to have a record in the usr_session table to be
  logged in. That means we no longer need to actually destroy the
  sessions on the PHP side. We can just delete them from the usr_session
  table, and then they will no longer be logged-in sessions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/16.10/+bug/1567799/+subscriptions

References

  Thread PreviousDate PreviousThread Next