id summary reporter owner description type status priority milestone component version resolution keywords cc 2011 Check that session id and client id match every time a new page is requested Nicklas Nordborg everyone "It is possible to register client applications with BASE and use the sharing functionality to control which users that have access to which clients. For example, the standard web client is shared to the `Everyone` group. Now consider the use case that the web client should only be accessible by a smaller group and another application that is accessible by a different group (for example the ftp server http://baseplugins.thep.lu.se/wiki/net.sf.basedb.ftp). Since both the web client and FTP server runs in the same Tomcat instance they share the same cache with `SessionControl` items. Now consider a user that is only allowed to use the FPT server but not the web client. When the user logs in to the FTP server a session is assigned and stored in the cache. If the user somehow can get access to the ID it is possible to type in a URL that leads to a page in the web client (`http://server.domain.name/trunk/my_base/index.jsp?ID=...`). Since a session with this ID already exists and a user is already logged in, the web page will be served without any check that the session actually belongs to a different client. Before accepting a request for a given session we need to verify that the request comes from the same client application." defect closed blocker BASE 3.9 core fixed