Hi, During the scan of project open application, I got the following vulnerability: Medium Session Identifier Not Updated Issue: 13800882 Severity: Medium URL: https://<server_name>/register/ Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Do not accept externally created session identifiers though the fix is mentioned but it is not sufficient for me to understand it completely.please guide me how should I remove this.Also let me know if any further details are needed to understand the question.
seesion_id remains same even after user logs in in application successfully,but the application is supposed to update session_id in this case, which is causing security threat. the file /web/projop/packages/acs-tcl/tcl/security-procs.tcl contains the session_id creation code. but since I don't know how to reflect the change in TCL. I found the following code which does the same but it's in java.
public HttpSession changeSessionIdentifier(HttpServletRequest request) throws AuthenticationException {
// get the current session
HttpSession oldSession = request.getSession();
// make a copy of the session content
Map<String,Object> temp = new ConcurrentHashMap<String,Object>();
Enumeration e = oldSession.getAttributeNames();
while (e != null && e.hasMoreElements()) {
String name = (String) e.nextElement();
Object value = oldSession.getAttribute(name);
temp.put(name, value);
}
// kill the old session and create a new one
oldSession.invalidate();
HttpSession newSession = request.getSession();
User user = ESAPI.authenticator().getCurrentUser();
user.addSession( newSession );
user.removeSession( oldSession );
// copy back the session content
for (Map.Entry<String, Object> stringObjectEntry : temp.entrySet()){
newSession.setAttribute(stringObjectEntry.getKey(), stringObjectEntry.getValue());
}
return newSession;
}P.S.please let me know if you need any further explanation.
CGM Hi, unfortunately most Tcl users have never heard of Project-Open, so you are not very likely to find help here. I would suggest you post your question on the project-open forum at http://sourceforge.net/p/project-open/discussion/295937 . Or since it probably relates to the OpenACS infrastructure as much as the project-open application you could try an openacs forum.