Opened 8 years ago
Closed 8 years ago
#2011 closed defect (fixed)
Check that session id and client id match every time a new page is requested
Reported by: | Nicklas Nordborg | Owned by: | everyone |
---|---|---|---|
Priority: | blocker | Milestone: | BASE 3.9 |
Component: | core | Version: | |
Keywords: | Cc: |
Description
It is possible to register client applications with BASE and use the sharing functionality to control which users that have access to which clients. For example, the standard web client is shared to the Everyone
group.
Now consider the use case that the web client should only be accessible by a smaller group and another application that is accessible by a different group (for example the ftp server http://baseplugins.thep.lu.se/wiki/net.sf.basedb.ftp).
Since both the web client and FTP server runs in the same Tomcat instance they share the same cache with SessionControl
items. Now consider a user that is only allowed to use the FPT server but not the web client.
When the user logs in to the FTP server a session is assigned and stored in the cache. If the user somehow can get access to the ID it is possible to type in a URL that leads to a page in the web client (http://server.domain.name/trunk/my_base/index.jsp?ID=...
).
Since a session with this ID already exists and a user is already logged in, the web page will be served without any check that the session actually belongs to a different client.
Before accepting a request for a given session we need to verify that the request comes from the same client application.
Change History (4)
comment:1 by , 8 years ago
comment:2 by , 8 years ago
comment:3 by , 8 years ago
comment:4 by , 8 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
(In [7158]) References #2011: Check that session id and client id match every time a new page is requested
This has now been implemented in the BASE Core API by adding a new
Application.getSessionControl()
method with 3 string arguments. The older 2-argument version will behave as ifnet.sf.basedb.clients.web
is used.This is change may break existing clients that are not built on top of the current web client. The only such client we currently know of is the FTP server extension but this is not affected since it doesn't use the
Application.getSessionControl()
method.Fixing existing code that is affected should be relatively easy by replacing the old method call with a call to the new method and using the same client id as when the session was created.