Reviewed: https://reviews.mahara.org/6376 Committed: https://git.mahara.org/mahara/mahara/commit/4692ab43960fbd3819bbf007877ebccb1cc98fd0 Submitter: Robert Lyon ([email protected]) Branch: 15.04_STABLE
commit 4692ab43960fbd3819bbf007877ebccb1cc98fd0 Author: Aaron Wells <[email protected]> Date: Fri Apr 15 20:16:06 2016 +1200 Bug 1567784: session_regenerate_id() not working We have existing code that tries to regenerate your session ID when you log in. But it stopped working in PHP 15.04 because the session has usually been closed when it gets called. Change-Id: I5f99cdf355892040866bb0113fd934e3d37bf33c behatnotneeded: Can't be tested by behat (cherry picked from commit a923f51be7723a640b4ddbcf9163a8128b9ec4b3) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1567784 Title: Session ID's not being regenerated Status in Mahara: Fix Committed Status in Mahara 15.04 series: Fix Committed Status in Mahara 15.10 series: Fix Committed Status in Mahara 16.04 series: Fix Committed Status in Mahara 16.10 series: Fix Committed Bug description: Security best practice requires that the session ID be changed whenever a user logs in or out (or makes other similar changes to their access level). If this is not done, then it makes session highjacking attacks a lot easier. In PHP this is best done by calling the function session_regenerate_id(). And Mahara does indeed have quite old code that does this in htdocs/auth/user.php, whenever a user is logged in (but not logged out). However, this code stopped working in Mahara 15.04. This appears to be due to the changes we made to htdocs/auth/session.php to prevent session locking from interfering with ajax scripts, which cause session_start() and session_write_close() to be called several times per script execution instead of just once. We need to: 1. Make sure that session_regenerate_id() works correctly, so that the user's session ID really does change when they log in (preferrably in a way that will work for all auth methods) 2. And expand this so that the user's session ID is also changed when they log out. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1567784/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
