Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 16.11.04, 17.12.01, Trunk
    • 16.11.05, 17.12.01
    • framework
    • None
    • Bug Crush Event - 21/2/2015

    Description

      With the security audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7" A client discovered a session fixation security issue

      OWASP describes here how to fix this kind of issue

      I decided to prevents the session fixation by making Tomcat generate a new jsessionId, ultimately put in cookie.

      OWASP also recommends
      <<Other common scenarios must also be considered, such as password changes, permission changes or switching from a regular user role to an administrator role within the web application. For all these web application critical pages, previous session IDs have to be ignored, a new session ID must be assigned to every new request received for the critical resource, and the old or previous session ID must be destroyed. >>

      Password changes go through a new authentication so not a problem, it's a new login, so a new jsessionId.

      I don't think it is necessary to create a new authentication in OFBiz during "permission changes". In my opinion as it requires data loads, it's up to the admin to handle it, if it ever happens. You rarely (actually never) change permission during a session, do you? Otherwise the admin has to manage it with the user...

      Attachments

        Activity

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: