request #18377 Regenerate session ID when users sign in

Infos

Artifact ID#18377

Submitted byThomas Gerbet (tgerbet)

Last Modified On2020-11-27 13:59

Submitted on2020-11-26 18:19

Rank19929

Details

Summary *

Regenerate session ID when users sign in

Original Submission

Tuleap does not regenerate the session ID when a user signs in. The way the session is preserved on the client side (a http-only cookie with the same-site attribute and a host prefixe, see request #10979 for more information) makes it an hard target for a session fixation attack. Anyway it is a good practice to regenerate the session ID when the authentication context change so Tuleap should do it.

CategoryOther

Reported in versionAll

PlatformEmpty

Is an Enhancement or an internal improvement?

[ ] enhancement
[ ] internal improvement

CC listEmpty

Stage

Assigned toThomas Gerbet (tgerbet)

StatusClosed

Close date2020-11-27

Attachments

AttachmentsEmpty

References

Cross references

Referencing request #18377

Git commit

tuleap/tuleap/stable

Merge commit 'refs/changes/07/20907/1' of ssh://gerrit.tuleap.net:29418/tuleap ac24b34938

Manuel Vacelet (vaceletm) , 2020-11-27 13:58

request #18377: Regenerate session ID when users sign in 1a4674c7e6

Thomas Gerbet (tgerbet) , 2020-11-26 18:19

Show items referenced by request #18377

Referenced by request #18377

Artifact Tracker v5

request #10979 Implement Same-Site cookie and cookie prefixes protections

rel #16653 12.3

Other

Follow-ups

Manuel Vacelet (vaceletm)

2020-11-27 13:59

Integrated in Tuleap 12.2.99.99

Status changed from Under review to Closed
Connected artifacts
- Added Fixed in: rel #16653
Close date set to 2020-11-27

Thomas Gerbet (tgerbet)

2020-11-27 09:35

Status changed from Under implementation to Under review

Thomas Gerbet (tgerbet)

2020-11-26 18:25

Patch under review: gerrit #20907.