[Mahara-contributors] [Bug 1567799] Re: Replace session highjacking code in remove_user_sessions()

Sun, 01 May 2016 16:17:10 -0700 

Changing to "Won't fix" for now, because unrelated bug fixes in session
handling have resolved some of the problems related to this.

** Changed in: mahara/16.10
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1567799

Title:
  Replace session highjacking code in remove_user_sessions()

Status in Mahara:
  New
Status in Mahara 16.10 series:
  Won't Fix

Bug description:
  When we need to force a user to log out in Mahara (for instance, when
  an admin suspends a user's account, or someone resets their password
  and we'd like any other logged-in sessions of theirs to be force-
  logged out), we use a function in htdocs/auth/session.php called
  "remove_user_sessions($userid)".

  To delete all of user's sessions, it uses the technique described
  here: http://php.net/manual/en/function.session-destroy.php#114709

  1. Look up all of the target user's session IDs in the usr_session table
  2. Store the current user's session ID in a local variable
  3. Highjack each of the target user's session IDs, then call 
session_destroy() on each one.
  4. Change back to the current user's session ID.

  This works most of the time, but it has a *very* bad failure mode. If
  the function fails to restore the current user's session ID, or if the
  target user manages to load a page at just the right time, the target
  user and current user can wind up with the same session ID.
  Essentially an accidental session fixation attack.

  Luckily, with the patch for Bug 1363873, this becomes easier to deal
  with. Now, a user has to have a record in the usr_session table to be
  logged in. That means we no longer need to actually destroy the
  sessions on the PHP side. We can just delete them from the usr_session
  table, and then they will no longer be logged-in sessions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1567799/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to