Ticket #710 (defect)
Opened 1 year ago
Last modified 10 months ago
Allow forcing a new session id
Status: closed (fixed)
| Reported by: | pstradomski@gmail.com | Assigned to: | fumanchu |
|---|---|---|---|
| Priority: | normal | Milestone: | 3.1 |
| Component: | CherryPy code | Keywords: | |
| Cc: |
It should be possible to cherrypy to destroy current session and create a new one with different SID. With such a function it is easier to prevent session fixation attacks because if an attacker forces user to use a SID known to attacker, then after login such session would be destroyed and a new SID generated and sent to user effectively rendering old (attacker-supplied) SID worthless.
Attachments
Change History
07/28/07 14:43:40: Modified by fumanchu
- attachment sessregen.patch added.
07/28/07 14:46:19: Modified by fumanchu
- owner changed from rdelon to fumanchu.
- status changed from new to assigned.
- milestone set to 3.1.
Here's a patch against trunk. If you try it out and it does what you want, I'd be happy to apply it.
07/28/07 14:48:03: Modified by fumanchu
(Copied from mailing list):
In PHP this can be accomplished by calling session_regenerate_id() (see http://www.php.net/manual/en/function.session-regenerate-id.php) Here is an explanation of possible attack vectors: http://www.webappsec.org/projects/threat/classes/session_fixation.shtml
10/26/07 21:23:18: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
Fixed in [1770].
patch to regenerate session