Ticket #709 (defect)
Opened 1 year ago
Last modified 8 months ago
Cherrypy accepts user-supplied session identifiers
Status: closed (fixed)
| Reported by: | pstradomski@gmail.com | Assigned to: | fumanchu |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | CherryPy code | Keywords: | |
| Cc: |
Cherrypy accepts user-supplied session identifiers. This makes session fixation attacks easier. In case session cookie contains sid that does not reference existing session the client-supplied id should be discarded and a new SID should be generated and sent to client.
Change History
07/27/07 14:20:40: Modified by guest
10/27/07 19:51:30: Modified by fumanchu
- owner changed from rdelon to fumanchu.
- status changed from new to assigned.
- milestone set to 3.1.
01/12/08 19:22:35: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
Fixed in [1840].
Perhaps changing lib.sessions.py, around line 71 to:
self.id = id if self.id and self._load is None:
would be enough, but I'm not sure.