Check that session id and client id match every time a new page is requested
|Reported by:||Nicklas Nordborg||Owned by:||everyone|
It is possible to register client applications with BASE and use the sharing functionality to control which users that have access to which clients. For example, the standard web client is shared to the
Now consider the use case that the web client should only be accessible by a smaller group and another application that is accessible by a different group (for example the ftp server http://baseplugins.thep.lu.se/wiki/net.sf.basedb.ftp).
Since both the web client and FTP server runs in the same Tomcat instance they share the same cache with
SessionControl items. Now consider a user that is only allowed to use the FPT server but not the web client.
When the user logs in to the FTP server a session is assigned and stored in the cache. If the user somehow can get access to the ID it is possible to type in a URL that leads to a page in the web client (
Since a session with this ID already exists and a user is already logged in, the web page will be served without any check that the session actually belongs to a different client.
Before accepting a request for a given session we need to verify that the request comes from the same client application.