You are here: Foswiki>Tasks Web>Item15048 (28 Mar 2022, MichaelDaum)Edit Attach

Item15048: disable access to sessionid

pencil
Priority: Security
Current State: Closed
Released In: 2.1.7
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches:
Reported By: MichaelDaum
Waiting For:
Last Change By: MichaelDaum
Any access to the session id of a user should be disabled. There is no real use to have the macros %SESSIONID and %SESSIONVAR. There are ways to exploit this information and steal a user's session. see https://en.wikipedia.org/wiki/Server-side_request_forgery

These two macros are implemented in the Foswiki::LoginManager. They should be hidden behind a config setting {Sessions}{HideSessionVariable}, defaulting to true. If enabled a bold warning should be displayed in configure.

-- MichaelDaum - 11 Nov 2021

See patch at https://github.com/foswiki/distro/commit/2bc2dda69bab7686d680b0badcf273b5aef2a6a2

-- MichaelDaum - 11 Nov 2021

Seems appropriate.

-- TimothyLegge - 16 Nov 2021
 

ItemTemplate edit

Summary disable access to sessionid
ReportedBy MichaelDaum
Codebase
SVN Range
AppliesTo Engine
Component LoginManager
Priority Security
CurrentState Closed
WaitingFor
Checkins
TargetRelease patch
ReleasedIn 2.1.7
CheckinsOnBranches
trunkCheckins
masterCheckins
ItemBranchCheckins
Release02x01Checkins
Release02x00Checkins
Release01x01Checkins
Edit  | Attach | Print version | History: r5 < r4 < r3 < r2 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r5 - 28 Mar 2022, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy