Reviewed: https://reviews.mahara.org/8002 Committed: https://git.mahara.org/mahara/mahara/commit/69bcdb52be49481c03b26410553169bfc0acbcb5 Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 16.10_STABLE
commit 69bcdb52be49481c03b26410553169bfc0acbcb5 Author: Cecilia Vela Gurovic <cecili...@catalyst.net.nz> Date: Wed Jul 5 13:16:07 2017 +1200 Security Bug 1701978: fix session cookie issues 1. when a user logs in it clears any obsolete usr_session cookies for the user 2. recording the user-agent of the session and if it changes to prompt the user to login again 3. when self adding / editing email address(es) send 2 emails - one to the new email address asking user to confirm address - and one to the primary email address to alert user that a new email is being added to their account and if this is bad how to contact their admin about the problem. behatnotneeded Change-Id: Ia44b66cf831abd553b72aa8b1d58d2a2634863b8 -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1701978 Title: Old cookies lingering allowing one to login without giving login details Status in Mahara: Fix Released Status in Mahara 15.04 series: Confirmed Status in Mahara 16.04 series: Confirmed Status in Mahara 16.10 series: Confirmed Status in Mahara 17.04 series: Confirmed Status in Mahara 17.10 series: Fix Released Bug description: This are some security issues around Mahara and session cookies. When one logs into Mahara a 'mahara' cookie is set in the browser containing a unique string for the session. This value is also saved in the usr_session table to keep track of the session. When one closes the browser without logging out the value in the usr_session table is not removed so if someone were to open a browser and visit the Mahara site and adjust the 'mahara' cookie to the old value they can get access to the user's account. Things that need fixing: 1) when a user logs in it clears any obsolete usr_session cookies for the user. - this will decrease the chance an old cookie value can be used to access the user's account. 2) recording the user-agent of the session and if it changes to prompt the user to login again - this should reduce the chance of someone capturing the cookie value on the network and using it 3) when self adding / editing email address(es) that they are required to give their current password - this should reduce the hacker's ability to take over an account they get into (similar to how we do this currently when changing our password). NOTE: Using an https site will greatly reduce the ability to discover the cookie value as the cookie will be sent securely. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1701978/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp