•  
      request #18377 Regenerate session ID when users sign in
    Infos
    #18377
    Thomas Gerbet (tgerbet)
    2020-11-27 13:59
    2020-11-26 18:19
    19840
    Details
    Regenerate session ID when users sign in
    Tuleap does not regenerate the session ID when a user signs in. The way the session is preserved on the client side (a http-only cookie with the same-site attribute and a host prefixe, see request #10979 for more information) makes it an hard target for a session fixation attack. Anyway it is a good practice to regenerate the session ID when the authentication context change so Tuleap should do it.
    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2020-11-27
    Attachments
    Empty
    References

    Follow-ups

    User avatar

    Integrated in Tuleap 12.2.99.99


    • Status changed from Under review to Closed
    • Connected artifacts
    • Close date set to 2020-11-27