** No longer affects: mahara
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
Replace session highjacking code in remove_user_sessions()
Status in Mahara 16.10 series:
When we need to force a user to log out in Mahara (for instance, when
an admin suspends a user's account, or someone resets their password
and we'd like any other logged-in sessions of theirs to be force-
logged out), we use a function in htdocs/auth/session.php called
To delete all of user's sessions, it uses the technique described
1. Look up all of the target user's session IDs in the usr_session table
2. Store the current user's session ID in a local variable
3. Highjack each of the target user's session IDs, then call
session_destroy() on each one.
4. Change back to the current user's session ID.
This works most of the time, but it has a *very* bad failure mode. If
the function fails to restore the current user's session ID, or if the
target user manages to load a page at just the right time, the target
user and current user can wind up with the same session ID.
Essentially an accidental session fixation attack.
Luckily, with the patch for Bug 1363873, this becomes easier to deal
with. Now, a user has to have a record in the usr_session table to be
logged in. That means we no longer need to actually destroy the
sessions on the PHP side. We can just delete them from the usr_session
table, and then they will no longer be logged-in sessions.
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~mahara-contributors
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp