Strange behaviour with JSESSIONID creating Session Fixation issue

cancel
Showing results for 
Search instead for 
Did you mean: 
hiten_rastogi1
Established Member

Strange behaviour with JSESSIONID creating Session Fixation issue

Hi,

After adding an OOTB evaluator group.module.evaluator in my extension module for hiding Create Site option for non admin user, which BTW works fine, I can see that there is a change in the way JSESSIONID is created.

In normal standalone share project JSESSIONID is created when the user logs in and refreshes on every login but after adding the above evaluator I can see the JSESSIONID is getting created the moment I hit the login page and it stays there even after the login but refreshes on every logout.

I did some digging into the Alfresco code for the evaluator bean and found out that isMemberOfGroups method of the SlingshotEvaluatorUtil class called from the SlingshotGroupModuleEvaluator class creates a session for storing the GROUP membership in the session.

Now this behaviour creates a Session Fixation issue that permits an attacker to hijack a valid user session.

Can anyone please suggest what can be done here ??

Thanks

Hiten Rastogi

3 Replies
afaust
Master

Re: Strange behaviour with JSESSIONID creating Session Fixation issue

Create an issue in the Alfresco JIRA and maybe even a pull request on the Alfresco Surf project to make the login controller always create a new session as part of the login (currently it only creates a new session if the old session contains a specific attribute to denote an already authenticated user).

hiten_rastogi1
Established Member

Re: Strange behaviour with JSESSIONID creating Session Fixation issue

Thanks Axel,

I have created an issue. 

https://issues.alfresco.com/jira/browse/AIF-430 

afaust
Master

Re: Strange behaviour with JSESSIONID creating Session Fixation issue

NEVER create an issue in any project other then ALF unless you are absolutely sure it is the right one. The project you have chosen has nothing to do with Share...