Updated 2014-07-23 09:48:32 by RLE

Hi, During the scan of project open application, I got the following vulnerability: [Medium] Session Identifier Not Updated Issue: 13800882 Severity: Medium URL: https://<server_name>/register/ Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Do not accept externally created session identifiers though the fix is mentioned but it is not sufficient for me to understand it completely.please guide me how should I remove this.Also let me know if any further details are needed to understand the question.

seesion_id remains same even after user logs in in application successfully,but the application is supposed to update session_id in this case, which is causing security threat. the file /web/projop/packages/acs-tcl/tcl/security-procs.tcl contains the session_id creation code. but since I don't know how to reflect the change in TCL. I found the following code which does the same but it's in java.
  public HttpSession changeSessionIdentifier(HttpServletRequest request) throws AuthenticationException {

     // get the current session
        HttpSession oldSession = request.getSession();

     // make a copy of the session content
        Map<String,Object> temp = new ConcurrentHashMap<String,Object>();
        Enumeration e = oldSession.getAttributeNames();
        while (e != null && e.hasMoreElements()) {
               String name = (String) e.nextElement();
               Object value = oldSession.getAttribute(name);
               temp.put(name, value);
        }

     // kill the old session and create a new one
        oldSession.invalidate();
        HttpSession newSession = request.getSession();
        User user = ESAPI.authenticator().getCurrentUser();
        user.addSession( newSession );
        user.removeSession( oldSession );

     // copy back the session content
        for (Map.Entry<String, Object> stringObjectEntry : temp.entrySet()){
             newSession.setAttribute(stringObjectEntry.getKey(),       stringObjectEntry.getValue());
         }
  return newSession;
    }

P.S.please let me know if you need any further explanation.

CGM Hi, unfortunately most Tcl users have never heard of Project-Open, so you are not very likely to find help here. I would suggest you post your question on the project-open forum at http://sourceforge.net/p/project-open/discussion/295937 . Or since it probably relates to the OpenACS infrastructure as much as the project-open application you could try an openacs forum.