#2011 closed defect (fixed)

Check that session id and client id match every time a new page is requested

Reported by: nicklas Owned by: everyone
Priority: blocker Milestone: BASE 3.9
Component: core Version:
Keywords: Cc:

Description

It is possible to register client applications with BASE and use the sharing functionality to control which users that have access to which clients. For example, the standard web client is shared to the Everyone group.

Now consider the use case that the web client should only be accessible by a smaller group and another application that is accessible by a different group (for example the ftp server http://baseplugins.thep.lu.se/wiki/net.sf.basedb.ftp).

Since both the web client and FTP server runs in the same Tomcat instance they share the same cache with SessionControl items. Now consider a user that is only allowed to use the FPT server but not the web client.

When the user logs in to the FTP server a session is assigned and stored in the cache. If the user somehow can get access to the ID it is possible to type in a URL that leads to a page in the web client (http://server.domain.name/trunk/my_base/index.jsp?ID=...).

Since a session with this ID already exists and a user is already logged in, the web page will be served without any check that the session actually belongs to a different client.

Before accepting a request for a given session we need to verify that the request comes from the same client application.

Change History (4)

comment:1 Changed 18 months ago by nicklas

(In [7158]) References #2011: Check that session id and client id match every time a new page is requested

This has now been implemented in the BASE Core API by adding a new Application.getSessionControl() method with 3 string arguments. The older 2-argument version will behave as if net.sf.basedb.clients.web is used.

This is change may break existing clients that are not built on top of the current web client. The only such client we currently know of is the FTP server extension but this is not affected since it doesn't use the Application.getSessionControl() method.

Fixing existing code that is affected should be relatively easy by replacing the old method call with a call to the new method and using the same client id as when the session was created.

comment:2 Changed 18 months ago by nicklas

(In [7159]) References #2011: Check that session id and client id match every time a new page is requested

Made some more changes to the API for getting existing session control to make it easier for client/extension code to get a session control and check that a user is logged in.

comment:3 Changed 18 months ago by nicklas

(In [7161]) References #2011: Check that session id and client id match every time a new page is requested

Added notes in the documentation that this change may affect backwards compatibility.

comment:4 Changed 18 months ago by nicklas

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.