Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Mon 3204 enable session cookie strict mode #7892

Merged
merged 14 commits into from
Oct 2, 2019
Merged

Mon 3204 enable session cookie strict mode #7892

merged 14 commits into from
Oct 2, 2019

Conversation

sc979
Copy link
Contributor

@sc979 sc979 commented Oct 1, 2019
edited
Loading

Pull Request Template

Description

  • Securing the PHPSESSID cookie from hijack or modifications using the session.strict_mode in the php.ini (these modifications have been removed from current PR; and already merged on centreon-build to be deployed with the next RPMs).

  • Regenerating the session_id() value after the login and after the logout

  • Minor typo and variable naming corrections

Fixes # (none)

Type of change

  • Patch fixing an issue (non-breaking change)
  • New functionality (non-breaking change)
  • Breaking change (patch or feature) that might cause side effects breaking part of the Software
  • Updating documentation (missing information, typo...)

Target serie

  • 2.8.x
  • 18.10.x
  • 19.04.x
  • 19.10.x (master)

How this pull request can be tested ?

Please describe the procedure to verify that the goal of the PR is matched. Provide clear instructions so that it can be correctly tested.

-> Please contact me

Checklist

Community contributors & Centreon team

  • I followed the coding style guidelines provided by Centreon
  • I have commented my code, especially new classes, functions or any legacy code modified. (docblock)
  • I have commented my code, especially hard-to-understand areas of the PR.
  • I have made corresponding changes to the documentation.
  • I have rebased my development branch on the base branch (master, maintenance).

Centreon team only

  • I have made sure that the unit tests related to the story are successful.
  • I have made sure that unit tests cover 80% of the code written for the story.
  • I have made sure that acceptance tests related to the story are successful (local and CI)

@sc979 sc979 requested review from loiclau, callapa and kduret October 1, 2019 09:12
@sc979 sc979 mentioned this pull request Oct 1, 2019
Closed
8 tasks
@sc979
Update www/include/core/login/processLogin.php
6181681 
Co-Authored-By: Matthieu Kermagoret <mkermagoret@centreon.com>
ganoze
ganoze suggested changes Oct 2, 2019
View reviewed changes
Copy link
Contributor

@ganoze ganoze left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO the security fix about session fixation should also be applied within www/include/views/graphs/generateGraphs/generateImage.php

@sc979 sc979 merged commit e1b8b65 into 19.04.x Oct 2, 2019
@sc979 sc979 deleted the MON-3204-enable-session-cookie-strict-mode branch October 2, 2019 14:15
sc979 added a commit that referenced this pull request Oct 2, 2019
@sc979
fix(secu): session fixation using regenerate_session_id (#7892)
f6272a4 
* fix(secu): enable session cookie strict mode

* fix(secu): destroy session cookie at logout

* enh(BE): correct variable name

* enh(BE): correct variable name and optim condition

* enh(BE): correct variable name

* enh(secu): remove all saved session of the disconnected user

* restore multi users current session management

* enh(BE): moving the session parameters in the php.ini

* fix(secu): regenerate session id after login

* enh(BE): remove the forced deletion of the cookie

* fix(secu): session fixation for the image generation autologin process

* fix(secu): activate the delete_old_sid param
sc979 added a commit that referenced this pull request Oct 2, 2019
@sc979
fix(secu): session fixation using regenerate_session_id (#7892)
0a1e002 
* fix(secu): enable session cookie strict mode

* fix(secu): destroy session cookie at logout

* enh(BE): correct variable name

* enh(BE): correct variable name and optim condition

* enh(BE): correct variable name

* enh(secu): remove all saved session of the disconnected user

* restore multi users current session management

* enh(BE): moving the session parameters in the php.ini

* fix(secu): regenerate session id after login

* enh(BE): remove the forced deletion of the cookie

* fix(secu): session fixation for the image generation autologin process

* fix(secu): activate the delete_old_sid param
@jeromedevel
Copy link

this pull break my app Droideon because of regenerations of cookies

@jeromedevel jeromedevel mentioned this pull request Oct 29, 2019
Closed
@sc979
Copy link
Contributor Author

sc979 commented Oct 30, 2019

Hi @jeromedevel ,
I'm sorry to hear that adding more security checks or correcting flaws, wich may impact every user connected to Centreon, cause you troubles.
Indeed, the solution may seems extrem, but it was required.

As you can see in the Owasp resources : https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html ;
The regeneration of the sessionId is one of the best practices, after any privilege level change.

If you need help to fix your application, you need to help us understand how and when, your app is using the sessionId.

Regards
sc979

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kduret kduret kduret approved these changes

@ganoze ganoze ganoze approved these changes

@loiclau loiclau Awaiting requested review from loiclau

@callapa callapa Awaiting requested review from callapa

Assignees
No one assigned
Labels
area/security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sc979 @jeromedevel @ganoze @kduret