← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #45232

[Bug 1701978] Re: Old cookies lingering allowing one to login without giving login details

  Thread PreviousDate PreviousThread Next 
** Changed in: mahara/15.04
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1701978

Title:
  Old cookies lingering allowing one to login without giving login
  details

Status in Mahara:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released
Status in Mahara 16.04 series:
  Fix Committed
Status in Mahara 16.10 series:
  Fix Committed
Status in Mahara 17.04 series:
  Fix Committed
Status in Mahara 17.10 series:
  Fix Released

Bug description:
  This are some security issues around Mahara and session cookies.

  When one logs into Mahara a 'mahara' cookie is set in the browser
  containing a unique string for the session. This value is also saved
  in the usr_session table to keep track of the session.

  When one closes the browser without logging out the value in the
  usr_session table is not removed so if someone were to open a browser
  and visit the Mahara site and adjust the 'mahara' cookie to the old
  value they can get access to the user's account.

  Things that need fixing:

  1) when a user logs in it clears any obsolete usr_session cookies for the user.
  - this will decrease the chance an old cookie value can be used to access the user's account.

  2) recording the user-agent of the session and if it changes to prompt the user to login again
  - this should reduce the chance of someone capturing the cookie value on the network and using it

  3) when self adding / editing email address(es) that they are required to give their current password
  - this should reduce the hacker's ability to take over an account they get into (similar to how we do this currently when changing our password).

  NOTE: Using an https site will greatly reduce the ability to discover
  the cookie value as the cookie will be sent securely.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1701978/+subscriptions
  Thread PreviousDate PreviousThread Next