Security: Session Identifier Not Updated in tcl -


i'm working on open-source application "project-open" , during scanning got following vulnerability:

[medium] session identifier not updated issue: 13800882 severity: medium url: https://<server_name>/register/ risk(s): possible steal or manipulate customer session , cookies, might used impersonate legitimate user,allowing hacker view or alter user records, , perform transactions user fix: not accept externally created session identifiers

though fix mentioned not sufficient me understand completely.please guide me how should remove this.also let me know if further details needed understand question. project source code in tcl

i found following code same it's in java. 

  public httpsession changesessionidentifier(httpservletrequest request) throws authenticationexception {       // current session         httpsession oldsession = request.getsession();       // make copy of session content         map<string,object> temp = new concurrenthashmap<string,object>();         enumeration e = oldsession.getattributenames();         while (e != null && e.hasmoreelements()) {                string name = (string) e.nextelement();                object value = oldsession.getattribute(name);                temp.put(name, value);         }       // kill old session , create new 1         oldsession.invalidate();         httpsession newsession = request.getsession();         user user = esapi.authenticator().getcurrentuser();         user.addsession( newsession );         user.removesession( oldsession );       // copy session content         (map.entry<string, object> stringobjectentry : temp.entryset()){              newsession.setattribute(stringobjectentry.getkey(),       stringobjectentry.getvalue());          }   return newsession;

}

p.s. i'm newbie in tcl. please let me know if need further explanation.

there fix in openacs 5.9 addresses scanning reports. please see following discussion on openacs.org reference.

http://www.openacs.org/forums/message-view?message_id=5332821


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more