Security vulerability -- Session Identifier Not Updated

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

Please do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.

This forum is for discussing mojoPortal development

This forum is only for questions or discussions about working with the mojoPortal source code in Visual Studio, obtaining the source code from the repository, developing custom features, etc. If your question is not along these lines this is not the right forum. Please try to post your question in the appropriate forum.

You can monitor commits to the repository from this page. We also recommend developers to subscribe to email notifications in the developer forum as occasionally important things are announced.

Before posting questions here you might want to review the developer documentation.

Do not post questions about design, CSS, or skinning here. Use the Help With Skins Forum for those questions.
This thread is closed to new posts. You must sign in to post in the forums.
1/12/2012 12:44:00 PM
wfuller567
Gravatar
Total Posts 7
View Posts

Security vulerability -- Session Identifier Not Updated

I know that mojoPortal-based sites do not change the Session Id after a user signs in to the site -- the browser just gets an authentication cookie. However, I've been told by our security team that an AppScan of our site has flagged this unchanged Session Id as a serious vulnerability. According to the AppScan results, the session id should be changed after a user has signed in.

I'm wondering if any other sites based on mojoPortal have had similar problems, and if so, how have they fixed it?

Are there any plans to change this behavior in mojoPortal in the near future?

Is adding a custom handler for user sign-in my only option?

1/12/2012 1:00:13 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security vulerability -- Session Identifier Not Updated

Hi Bill,

Session id is not used for anything in mojoPortal features and certainly not for anything security related or associated to a specific user so you'd need to explain or link to reasons that confirm some kind of vulnerability you may think exists by not changing the session id after authenticating.  I'm certainly open to doing that but at the moment I'm not aware of any vulnerability in mojoPortal due to session id and I'd like further explanation of what is the supposed risk. 

The most important thing to avoid session hijacking is protecting the authentication and role cookies as explained in our article Use SSL.

Best,

Joe

1/12/2012 1:15:05 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Security vulerability -- Session Identifier Not Updated

Actually, I'm pretty sure if you add this in Web.config as mentioned in the above linked article, then even the session cookie would not be transmitted unless using a secure connection

<httpCookies requireSSL="true" httpOnlyCookies="true" />

We aren't passing session id in the query string anywhere, so its only a cookie and as I mentioned before we ar enot using that cookie for anything and we don't even use session state for anything in mojoPortal code. With this setting the cookie will not be passed in the request header except for on secure request.

Best,

Joe

1/12/2012 2:12:27 PM
wfuller567
Gravatar
Total Posts 7
View Posts

Re: Security vulerability -- Session Identifier Not Updated

Thanks for the information Joe. I will take your advice and pursue the SSL option.

West

You must sign in to post in the forums. This thread is closed to new posts.