Comments (5)
from iron-sessionstorage.
Sorry for the late reply.
If there is only vulnerability to attack session fixation, it is not too dangerous. The vulnerability, however, is too dangerous when other vulnerabilities are combined with it.
The flow example of how the attacker exploits is as follows:
- Attacker fixes malicious session to the victim's browser using some other vulnerabilities, such as XSS or HTTP header injection, etc. For example, the attacker fixes "iron_session_id=malicious" to the victims's browser.
- The victim will log in to the service with the malicious session (iron_session_id=malicious).
- Web service using RedisBackend stores the malicious session in associating with the victim authentication.
- Attacker log in to the service using the victim's session.
Of course, the presence of other vulnerabilities are inherently a critical flaw.
In many web services, a session is regenerated when an user logged in. So, how about this library also providing such a method?
Otherwise, if it is empty it will not be regenerated, so I think it's better to fix it preferentially.
https://github.com/iron/iron-sessionstorage/blob/master/src/backends/redis.rs#L93-L97
Thanks.
from iron-sessionstorage.
from iron-sessionstorage.
Ah, right. I didn't have that idea.
Surely it is sufficient for bug fix.
But the behavior is like to refresh a session rather than to clear a session, you know...
Even if you fix the bug using such a way, the vulnerability of Session Fixation is not gone.
I think that a best solution is to implement a method for specifiable a session id into RedisSession
struct. But it is difficult to fix the vulnerability because some other implementations may be affected.
I think a countermeasure you suggested is good for temporary response.
Thanks.
from iron-sessionstorage.
I think it would make sense to automatically refresh the session if it is cleared, but yes, a new API for this would be good.
from iron-sessionstorage.
Related Issues (11)
- Ability to clear session
- Update the cookie dependency HOT 3
- Unsetting session values? HOT 1
- bump new version
- OpenSSL Issue HOT 6
- Figure out how to do session expiration HOT 9
- use same cookie version as hyper HOT 5
- Access session in BeforeMiddleware panics HOT 3
- Is it possible to have the cookies in "http_only" and "secure" mode? HOT 3
- Session cookie not cleared if logout route is not at the root level HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iron-sessionstorage.