Uploaded image for project: 'Share Application'
  1. Share Application
  2. SHA-2180

Session Fixation issue with JSESSION ID

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Bug Priority:
      Category 1
    • Work Funnel:
      Unassigned

      Description

      Hi,

       

      After adding an OOTB evaluator group.module.evaluator in my extension module(https://pastebin.com/fB6Y4BPr) for hiding Create Site option for non admin user, which BTW works fine, I can see that there is a change in the way JSESSIONID is created.

       

      In normal standalone share project JSESSIONID is created when the user logs in and refreshes on every login but after adding the above evaluator I can see the JSESSIONID is getting created the moment I hit the login page and it stays there even after the login but refreshes on every logout.

       

      I did some digging into the Alfresco code for the evaluator bean and found out that isMemberOfGroups method of the SlingshotEvaluatorUtil class called from the SlingshotGroupModuleEvaluator class creates a session for storing the GROUP membership in the session.

       

      Now this behaviour creates a Session Fixation(https://www.owasp.org/index.php/Session_fixation) issue that permits an attacker to hijack a valid user session.

      Please my question and reply on the alfresco forum https://community.alfresco.com/message/832325-re-strange-behaviour-with-jsessionid-creating-session-fixation-issue

      Can anyone please suggest what can be done here ??

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hitenrastogi Hiten Rastogi
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: