You are here: Foswiki>Tasks Web>Item15048 (28 Mar 2022, MichaelDaum)Edit Attach

Item15048: disable access to sessionid

pencil
Priority: Security
Current State: Closed
Released In: 2.1.7
Target Release: patch
Applies To: Engine
Component: LoginManager
Branches:
Reported By: MichaelDaum
Waiting For:
Last Change By: MichaelDaum
Any access to the session id of a user should be disabled. There is no real use to have the macros %SESSIONID and %SESSIONVAR. There are ways to exploit this information and steal a user's session. see https://en.wikipedia.org/wiki/Server-side_request_forgery

These two macros are implemented in the Foswiki::LoginManager. They should be hidden behind a config setting {Sessions}{HideSessionVariable}, defaulting to true. If enabled a bold warning should be displayed in configure.

-- MichaelDaum - 11 Nov 2021

See patch at https://github.com/foswiki/distro/commit/2bc2dda69bab7686d680b0badcf273b5aef2a6a2

-- MichaelDaum - 11 Nov 2021

Seems appropriate.

-- TimothyLegge - 16 Nov 2021
 
Topic revision: r5 - 28 Mar 2022, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy