[rt-users] 3.8.x serious security issue with mixing sessions
Arkadiusz Miskiewicz
arekm at maven.pl
Thu Oct 29 09:48:50 EDT 2009
On Monday 26 of October 2009, Jesse Vincent wrote:
> On Mon, Oct 26, 2009 at 02:40:29PM +0200, Arkadiusz Miskiewicz wrote:
> > On Friday 23 of October 2009, Jerrad Pierce wrote:
> > > >> A tool like the firefox developer toolbar is an easy way to do
> > > >> this.
> > >
> > > HTTPFox might be a good solution too. You can simply tell it to start
> > > tracking as you use RT, and stop it once you encounter the problem.
> > > Examine the results, debug, and or sanitize and share.
> > >
> > > Everyone experiencing the problem doesn't have to install the add-on,
> > > just someone who has the issue.
> >
> > Can I log session id here somehow?
> >
> > lib/RT/Interface/Web.pm:
> > $RT::Logger->info("Successful login for @{[$ARGS->{user}]} from
> > $ENV{'REMOTE_ADDR'}");
>
> There are two bits you want to log:
>
> * $session{_session_id}
> * the session cookie the user sent: in 3.8.6, look at
> LoadSessionFromCookie
>
> > So far it's like this:
> > - user logged as A
> > - suddently he becomes user B
> > - he logged off and on as A again
> >
> > httpfox shows three session ids but I found only last one in sessions
> > table and it was user A session.
>
> Logging out should be clearing that B session, so that bit isn't too
> surprising..
Still trying to gather more info.
What's the correct place for logging information about which session has been
logged out (forced) or logged out via web interface?
Added this to _ForceLogout but it seems to be wrong since it logs some very
different session_ids...
sub _ForceLogout {
my $sid = $HTML::Mason::Commands::session{'_session_id'};
$RT::Logger->info("_ForceLogout session id $sid");
> Jesse
--
Arkadiusz Miśkiewicz PLD/Linux Team
arekm / maven.pl http://ftp.pld-linux.org/
More information about the rt-users
mailing list