Reviewed: https://reviews.mahara.org/7998
Committed:
https://git.mahara.org/mahara/mahara/commit/1b7859ab1361cf1ed095ec030d8643e3043bb289
Submitter: Robert Lyon (robe...@catalyst.net.nz)
Branch: 15.04_STABLE
commit 1b7859ab1361cf1ed095ec030d8643e3043bb289
Author: Robert Lyon <robe...@catalyst.net.nz>
Date: Fri Sep 8 09:44:26 2017 +1200
Security Bug 1701978: fix session cookie issues
1. when a user logs in it clears any obsolete
usr_session cookies for the user
2. recording the user-agent of the session
and if it changes to prompt the user to
login again
3. when self adding / editing email address(es)
send 2 emails
- one to the new email address asking user to confirm address
- and one to the primary email address to alert user
that a new email is being added to their account and
if this is bad how to contact their admin about the problem.
behatnotneeded
Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1701978
Title:
Old cookies lingering allowing one to login without giving login
details
Status in Mahara:
Fix Released
Status in Mahara 15.04 series:
Confirmed
Status in Mahara 16.04 series:
Confirmed
Status in Mahara 16.10 series:
Confirmed
Status in Mahara 17.04 series:
Confirmed
Status in Mahara 17.10 series:
Fix Released
Bug description:
This are some security issues around Mahara and session cookies.
When one logs into Mahara a 'mahara' cookie is set in the browser
containing a unique string for the session. This value is also saved
in the usr_session table to keep track of the session.
When one closes the browser without logging out the value in the
usr_session table is not removed so if someone were to open a browser
and visit the Mahara site and adjust the 'mahara' cookie to the old
value they can get access to the user's account.
Things that need fixing:
1) when a user logs in it clears any obsolete usr_session cookies for the
user.
- this will decrease the chance an old cookie value can be used to access the
user's account.
2) recording the user-agent of the session and if it changes to prompt the
user to login again
- this should reduce the chance of someone capturing the cookie value on the
network and using it
3) when self adding / editing email address(es) that they are required to
give their current password
- this should reduce the hacker's ability to take over an account they get
into (similar to how we do this currently when changing our password).
NOTE: Using an https site will greatly reduce the ability to discover
the cookie value as the cookie will be sent securely.
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1701978/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help : https://help.launchpad.net/ListHelp
