mahara-contributors team mailing list archive

Thread
Date
[Bug 1701978] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1701978@xxxxxxxxxxxxxxxxxx>
Date: Mon, 30 Oct 2017 04:24:08 -0000
Reply-to: Bug 1701978 <1701978@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Reviewed:  https://reviews.mahara.org/8002
Committed: https://git.mahara.org/mahara/mahara/commit/69bcdb52be49481c03b26410553169bfc0acbcb5
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    16.10_STABLE

commit 69bcdb52be49481c03b26410553169bfc0acbcb5
Author: Cecilia Vela Gurovic <ceciliavg@xxxxxxxxxxxxxxx>
Date:   Wed Jul 5 13:16:07 2017 +1200

Security Bug 1701978: fix session cookie issues

1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
	- one to the new email address asking user to confirm address
	- and one to the primary email address to alert user
	that a new email is being added to their account and
	if this is bad how to contact their admin about the problem.

behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1701978

Title:
  Old cookies lingering allowing one to login without giving login
  details

Status in Mahara:
  Fix Released
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 16.04 series:
  Confirmed
Status in Mahara 16.10 series:
  Confirmed
Status in Mahara 17.04 series:
  Confirmed
Status in Mahara 17.10 series:
  Fix Released

Bug description:
  This are some security issues around Mahara and session cookies.

  When one logs into Mahara a 'mahara' cookie is set in the browser
  containing a unique string for the session. This value is also saved
  in the usr_session table to keep track of the session.

  When one closes the browser without logging out the value in the
  usr_session table is not removed so if someone were to open a browser
  and visit the Mahara site and adjust the 'mahara' cookie to the old
  value they can get access to the user's account.

  Things that need fixing:

  1) when a user logs in it clears any obsolete usr_session cookies for the user.
  - this will decrease the chance an old cookie value can be used to access the user's account.

  2) recording the user-agent of the session and if it changes to prompt the user to login again
  - this should reduce the chance of someone capturing the cookie value on the network and using it

  3) when self adding / editing email address(es) that they are required to give their current password
  - this should reduce the hacker's ability to take over an account they get into (similar to how we do this currently when changing our password).

  NOTE: Using an https site will greatly reduce the ability to discover
  the cookie value as the cookie will be sent securely.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1701978/+subscriptions