Mercurial > libervia-web
comparison libervia/web/server/session_iface.py @ 1598:86c7a3a625d5
server: always start a new session on connection:
The session was kept when a user was connecting from service profile (but not from other
profiles), this was leading to session fixation vulnerability (an attacker on the same
machine could get service profile session cookie, and use it when a victim would log-in).
This patch fixes it by always starting a new session on connection.
fix 443
| author | Goffi <goffi@goffi.org> |
|---|---|
| date | Fri, 23 Feb 2024 13:35:24 +0100 |
| parents | 7941444c1671 |
| children |
comparison
equal
deleted
inserted
replaced
| 1597:c1c1d68d063e | 1598:86c7a3a625d5 |
|---|---|
| 36 NOTIFICATIONS_KEY = "_notifications" | 36 NOTIFICATIONS_KEY = "_notifications" |
| 37 MAX_CACHE_AFFILIATIONS = 100 # number of nodes to keep in cache | 37 MAX_CACHE_AFFILIATIONS = 100 # number of nodes to keep in cache |
| 38 | 38 |
| 39 | 39 |
| 40 class IWebSession(Interface): | 40 class IWebSession(Interface): |
| 41 profile = Attribute("Sat profile") | 41 profile = Attribute("Libervia profile") |
| 42 jid = Attribute("JID associated with the profile") | 42 jid = Attribute("JID associated with the profile") |
| 43 uuid = Attribute("uuid associated with the profile session") | 43 uuid = Attribute("uuid associated with the profile session") |
| 44 identities = Attribute("Identities of XMPP entities") | 44 identities = Attribute("Identities of XMPP entities") |
| 45 | 45 |
| 46 | 46 |