Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #18377 Regenerate session ID when users sign in
    Actions
    Infos
    #18377
    Thomas Gerbet (tgerbet)
    2020-11-27 13:59
    2020-11-26 18:19
    19928
    Details
    Regenerate session ID when users sign in
    Tuleap does not regenerate the session ID when a user signs in. The way the session is preserved on the client side (a http-only cookie with the same-site attribute and a host prefixe, see request #10979 for more information) makes it an hard target for a session fixation attack. Anyway it is a good practice to regenerate the session ID when the authentication context change so Tuleap should do it.
    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-11-27
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #16653 Tuleap Releases 12.3 Delivered 2020-12-10 09:59 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #18377

    Git commit

    tuleap/tuleap/stable

    Merge commit 'refs/changes/07/20907/1' of ssh://gerrit.tuleap.net:29418/tuleap ac24b34938
    User avatar Manuel Vacelet (vaceletm) , 2020-11-27 13:58
    request #18377: Regenerate session ID when users sign in 1a4674c7e6
    User avatar Thomas Gerbet (tgerbet) , 2020-11-26 18:19
    Display settings

    Follow-ups

    User avatar
    Manuel Vacelet (vaceletm)2020-11-27 13:59

    Integrated in Tuleap 12.2.99.99

    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2020-11-27